Описание
Astro is a web framework for content-driven websites. In versions of astro before 5.13.2 and 4.16.18, the image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be served. On-demand rendered sites built with Astro include an /_image endpoint which returns optimized versions of images. A bug in impacted versions of astro allows an attacker to bypass the third-party domain restrictions by using a protocol-relative URL as the image source, e.g. /_image?href=//example.com/image.png. This vulnerability is fixed in 5.13.2 and 4.16.18.
Уязвимые конфигурации
Конфигурация 1Версия до 4.16.18 (исключая)Версия от 5.0.0 (включая) до 5.13.2 (исключая)
Одно из
cpe:2.3:a:astro:astro:*:*:*:*:*:node.js:*:*
cpe:2.3:a:astro:astro:*:*:*:*:*:node.js:*:*
EPSS
Процентиль: 39%
0.00173
Низкий
6.1 Medium
CVSS3
Дефекты
CWE-79
Связанные уязвимости
CVSS3: 6.1
github
6 месяцев назад
Astro allows unauthorized third-party images in _image endpoint
EPSS
Процентиль: 39%
0.00173
Низкий
6.1 Medium
CVSS3
Дефекты
CWE-79