GHSA-HFWX-C7Q6-G54C

Vulnerability from github – Published: 2021-03-12 23:04 – Updated: 2021-03-12 22:32
VLAI?
Summary
Vulnerability allowing for reading internal HTTP resources
Details

Impact

The vulnerability allows for reading and outputting files served by other services on the internal network in which the export server is hosted. If the export server is exposed to the internet, this potentially allows a malicious user to gain read access to internal web-resources.

The impact is limited to internal services that serve content via. HTTP(S), and requires the attacker to know internal hostnames/IP addresses.

The previous versions have been marked as deprecated on NPM.

Patches

Version 2.1.0 released alongside this security advisory addresses the issue. Please note that this release is not backwards compatible out of the box. See the changelog for details.

Additionally, it's also recommended to upgrade to the latest version of Highcharts to get the added input sanitation implemented in version 9.0 and later.

Workarounds

There are no known workarounds to the issue - an upgrade to version 2.1.0 is required.

For more information

If you have any questions or comments about this advisory: * Open an issue in the export server issue tracker * Email us at security@highsoft.com

Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.0.30"
      },
      "package": {
        "ecosystem": "npm",
        "name": "highcharts-export-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-552"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-03-12T22:32:16Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\n\nThe vulnerability allows for reading and outputting files served by other services on the internal network in which the export server is hosted. If the export server is exposed to the internet, this potentially allows a malicious user to gain read access to internal web-resources.\n\nThe impact is limited to internal services that serve content via. HTTP(S), and requires the attacker to know internal hostnames/IP addresses.\n\nThe previous versions have been marked as deprecated on NPM.\n\n### Patches\n\nVersion 2.1.0 released alongside this security advisory addresses the issue. **Please note that this release is not backwards compatible out of the box. See the [changelog](https://github.com/highcharts/node-export-server/blob/master/CHANGELOG.md) for details.**\n\nAdditionally, it\u0027s also recommended to upgrade to the latest version of Highcharts to get the added input sanitation implemented in version 9.0 and later. \n\n### Workarounds\n\nThere are no known workarounds to the issue - an upgrade to version 2.1.0 is required.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [the export server issue tracker](https://github.com/highcharts/node-export-server/issues)\n* Email us at [security@highsoft.com](mailto:security@highsoft.com)",
  "id": "GHSA-hfwx-c7q6-g54c",
  "modified": "2021-03-12T22:32:16Z",
  "published": "2021-03-12T23:04:46Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/highcharts/node-export-server/security/advisories/GHSA-hfwx-c7q6-g54c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/highcharts/node-export-server/commit/53fa992a96785a5a08390e55ec30ea2ad217dfe6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/highcharts/node-export-server/blob/master/CHANGELOG.md#210"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/package/highcharts-export-server"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Vulnerability allowing for reading internal HTTP resources"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.