Main Vulnerability Database SB2020031606

SB2020031606 - Insufficient verification of data authenticity in Eclipse Theia

Published: March 16, 2020

Security Bulletin ID SB2020031606

Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Insufficient verification of data authenticity (CVE-ID: CVE-2019-17636)

The vulnerability allows a remote attacker to read arbitrary files on the system.

The vulnerability exists due to the "Mini-Browser" extension exposes a HTTP endpoint. A remote attacker can perform a DNS rebinding attack or a drive-by download of a carefully crafted exploit and read the content of files on the host's filesystem, given their path, without restrictions on the requester's origin.

Remediation

Install update from vendor's website.

References

https://bugs.eclipse.org/bugs/show_bug.cgi?id=551747