CVE-2020-8902
SSRF in Rendertron
EPSS 0.06%
Description
Rendertron versions prior to 3.0.0 are are susceptible to a Server-Side Request Forgery (SSRF) attack. An attacker can use a specially crafted webpage to force a rendertron headless chrome process to render internal sites it has access to, and display it as a screenshot. Suggested mitigations are to upgrade your rendertron to version 3.0.0, or, if you cannot update, to secure the infrastructure to limit the headless chrome's access to your internal domain.
How to fix CVE-2020-8902
To remediate CVE-2020-8902, upgrade the affected package to a fixed version below.
- npm/rendertron—upgrade to 3.0.0 or later
Is CVE-2020-8902 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 3.0.0