First published: Tue Mar 10 2020(Updated: )
In Eclipse Theia versions 0.3.9 through 0.15.0, one of the default pre-packaged Theia extensions is "Mini-Browser", published as "@theia/mini-browser" on npmjs.com. This extension, for its own needs, exposes a HTTP endpoint that allows to read the content of files on the host's filesystem, given their path, without restrictions on the requester's origin. This design is vulnerable to being exploited remotely through a DNS rebinding attack or a drive-by download of a carefully crafted exploit.
Credit: emo@eclipse.org
Affected Software | Affected Version | How to fix |
---|---|---|
Eclipse Theia | >=0.3.9<=0.15.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2019-17636 is a vulnerability in Eclipse Theia versions 0.3.9 through 0.15.0 that allows unauthorized access to files on the host's filesystem.
CVE-2019-17636 has a severity rating of 8.1 (high).
Eclipse Theia versions 0.3.9 through 0.15.0 are affected by CVE-2019-17636.
The Common Weakness Enumeration (CWE) ID for CVE-2019-17636 is 345.
Yes, you can find more information about CVE-2019-17636 at https://bugs.eclipse.org/bugs/show_bug.cgi?id=551747.