CVE-2024-37169

Опубликовано: 10 июн. 2024

Источник: nvd

CVSS3: 5.3

EPSS Низкий

Описание

@jmondi/url-to-png is a self-hosted URL to PNG utility. Versions prior to 2.0.3 are vulnerable to arbitrary file read if a threat actor uses the Playright's screenshot feature to exploit the file wrapper. Version 2.0.3 mitigates this issue by requiring input URLs to be of protocol http or https. No known workarounds are available aside from upgrading.

Ссылки

https://github.com/jasonraimondi/url-to-png/commit/9336020c5e603323f5cf4a2ac3bb9a7735cf61f7
https://github.com/jasonraimondi/url-to-png/issues/47
https://github.com/jasonraimondi/url-to-png/releases/tag/v2.0.3
https://github.com/jasonraimondi/url-to-png/security/advisories/GHSA-665w-mwrr-77q3
https://github.com/user-attachments/files/15536336/Arbitrary.File.Read.via.Playwright.s.Screenshot.Feature.Exploiting.File.Wrapper.pdf
https://github.com/jasonraimondi/url-to-png/commit/9336020c5e603323f5cf4a2ac3bb9a7735cf61f7
https://github.com/jasonraimondi/url-to-png/issues/47
https://github.com/jasonraimondi/url-to-png/releases/tag/v2.0.3
https://github.com/jasonraimondi/url-to-png/security/advisories/GHSA-665w-mwrr-77q3
https://github.com/user-attachments/files/15536336/Arbitrary.File.Read.via.Playwright.s.Screenshot.Feature.Exploiting.File.Wrapper.pdf

EPSS

Процентиль: 64%

0.00478

Низкий

5.3 Medium

CVSS3

Дефекты

CWE-22

Связанные уязвимости

GHSA-665w-mwrr-77q3