CVE-2019-17636
First published: Tue Mar 10 2020(Updated: )
In Eclipse Theia versions 0.3.9 through 0.15.0, one of the default pre-packaged Theia extensions is "Mini-Browser", published as "@theia/mini-browser" on npmjs.com. This extension, for its own needs, exposes a HTTP endpoint that allows to read the content of files on the host's filesystem, given their path, without restrictions on the requester's origin. This design is vulnerable to being exploited remotely through a DNS rebinding attack or a drive-by download of a carefully crafted exploit.
Credit: emo@eclipse.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Eclipse Theia | >=0.3.9<=0.15.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2019-17636?
CVE-2019-17636 is a vulnerability in Eclipse Theia versions 0.3.9 through 0.15.0 that allows unauthorized access to files on the host's filesystem.
How severe is CVE-2019-17636?
CVE-2019-17636 has a severity rating of 8.1 (high).
Which software versions are affected by CVE-2019-17636?
Eclipse Theia versions 0.3.9 through 0.15.0 are affected by CVE-2019-17636.
What is the Common Weakness Enumeration (CWE) ID for CVE-2019-17636?
The Common Weakness Enumeration (CWE) ID for CVE-2019-17636 is 345.
Is there a reference for CVE-2019-17636?
Yes, you can find more information about CVE-2019-17636 at https://bugs.eclipse.org/bugs/show_bug.cgi?id=551747.
- collector/nvd-index
- vendor/eclipse
- canonical/eclipse theia
- version/eclipse theia/0.3.9
- version/eclipse theia/0.15.0