Insecure File Exposure in Eclipse Theia Mini-Browser Extension
CVE-2019-17636

8.1HIGH

Key Information:

Vendor: The Eclipse Foundation
Status: Eclipse Theia
Vendor: CVE Published:; 10 March 2020

Summary

The Eclipse Theia Mini-Browser extension exposes a HTTP endpoint that inadvertently allows unauthorized access to the host's filesystem. This vulnerability permits remote attackers to exploit the system via DNS rebinding or drive-by downloads, better enabling access to sensitive files provided the attacker knows the file paths. It underscores the necessity for stricter validation mechanisms to prevent unauthorized file accessibility.

Affected Version(s)

Eclipse Theia 0.3.9 to 0.15.0

References

https://bugs.eclipse.org/bugs/show_bug.cgi?id=551747

x_refsource_CONFIRM

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Mar 10, 2020
Vulnerability Reserved
Oct 16, 2019