Main Vulnerability Database Vulnerabilities #VU26096

#VU26096 Insufficient verification of data authenticity in Eclipse Theia - CVE-2019-17636

Published: March 16, 2020

Vulnerability identifier: #VU26096

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2019-17636

CWE-ID: CWE-345

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Eclipse Theia

Software vendor:
Eclipse

Description

The vulnerability allows a remote attacker to read arbitrary files on the system.

The vulnerability exists due to the "Mini-Browser" extension exposes a HTTP endpoint. A remote attacker can perform a DNS rebinding attack or a drive-by download of a carefully crafted exploit and read the content of files on the host's filesystem, given their path, without restrictions on the requester's origin.

Remediation

Install updates from vendor's website.

External links

https://bugs.eclipse.org/bugs/show_bug.cgi?id=551747

#VU26096 Insufficient verification of data authenticity in Eclipse Theia - CVE-2019-17636

Description

Remediation

External links

Please verify you're human