CVE-2019-17636: Insufficient Verification of Data Authenticity

April 13, 2021

In Eclipse Theia versions 0.3.9 through 0.15.0, one of the default pre-packaged Theia extensions is “Mini-Browser”, published as “@theia/mini-browser” on npmjs.com. This extension, for its own needs, exposes a HTTP endpoint that allows to read the content of files on the host’s filesystem, given their path, without restrictions on the requester’s origin. This design is vulnerable to being exploited remotely through a DNS rebinding attack or a drive-by download of a carefully crafted exploit.

References

bugs.eclipse.org/bugs/show_bug.cgi?id=551747
github.com/advisories/GHSA-f7vx-j8mp-3h2x
github.com/eclipse-theia/theia/commit/b212d07f915df1509180944ee3132714bc2636bf
github.com/eclipse-theia/theia/pull/7205
nvd.nist.gov/vuln/detail/CVE-2019-17636

Code Behaviors & Features

Detect and mitigate CVE-2019-17636 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →