Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-342q-2mc2-5gmp

Опубликовано: 15 июл. 2024
Источник: github
Github: Прошло ревью
CVSS4: 6.3
CVSS3: 3.7

Описание

@jmondi/url-to-png enables capture screenshot of localhost web services (unauthenticated pages)

Summary

The maintainer been contemplating whether FTP or other protocols could serve as useful functionalities, but there may not be a practical reason for it since we are utilizing headless Chrome to capture screenshots. The argument is based on the assumption that this package can function as a service.

The package includes an ALLOW_LIST where the host can specify which services the user is permitted to capture screenshots of. By default, capturing screenshots of web services running on localhost, 127.0.0.1, or the [::] is allowed.

The maintainer is of the opinion that the package should also have a blacklist due to a potential vulnerability (or rather design oversight). If someone hosts this on a server, users could then capture screenshots of other web services running locally.

Unless this is strictly for web pages. Something similar here: https://github.com/follow-redirects/follow-redirects/issues/235 (localhost is intended for end users or hosts to deny, and the package is for HTTP/HTTPS.)

This is marked as a LOW since the maintainer is not sure if this is a vulnerability, but it's still best to highlight it. :)

PoC

Have a service like so running locally:

const http = require("http") const server = http.createServer((req, res) => { console.log("Received headers:", req.headers) res.writeHead(200, { "Content-Type": "text/plain" }) res.end("Something private! But Hello from Server 2 :)") }) server.listen(3001, () => { console.log("Server two running on http://localhost:3001") })

Run the package in dev mode, pnpm dev. Feed these URLs:

http://localhost:3089/?url=http://[::]:3001&width=4000 http://localhost:3089/?url=http://localhost:3001&width=4000 http://localhost:3089/?url=http://127.0.01:3001&width=4000
image

Impact

Disclose internal web services?

Ссылки

Пакеты

Наименование

@jmondi/url-to-png

npm
Затронутые версииВерсия исправления

< 2.1.2

2.1.2

EPSS

Процентиль: 26%
0.0009
Низкий

6.3 Medium

CVSS4

3.7 Low

CVSS3

CVE ID

CVE-2024-39919

Дефекты

CWE-200

Связанные уязвимости

nvd логотип

CVE-2024-39919

CVSS3: 3.1
nvd
больше 1 года назад

@jmondi/url-to-png is an open source URL to PNG utility featuring parallel rendering using Playwright for screenshots and with storage caching via Local, S3, or CouchDB. The package includes an `ALLOW_LIST` where the host can specify which services the user is permitted to capture screenshots of. By default, capturing screenshots of web services running on localhost, 127.0.0.1, or the [::] is allowed. If someone hosts this project on a server, users could then capture screenshots of other web services running locally. This issue has been addressed in version 2.1.1 with the addition of a blocklist. Users are advised to upgrade. There are no known workarounds for this vulnerability.

EPSS

Процентиль: 26%
0.0009
Низкий

6.3 Medium

CVSS4

3.7 Low

CVSS3

CVE ID

CVE-2024-39919

Дефекты

CWE-200