SSRF in Rendertron
CVE-2020-8902

3.5LOW

Key Information:

Vendor: Google
Status: Rendertron
Vendor: CVE Published:; 23 February 2021

Summary

Rendertron versions prior to 3.0.0 are are susceptible to a Server-Side Request Forgery (SSRF) attack. An attacker can use a specially crafted webpage to force a rendertron headless chrome process to render internal sites it has access to, and display it as a screenshot. Suggested mitigations are to upgrade your rendertron to version 3.0.0, or, if you cannot update, to secure the infrastructure to limit the headless chrome's access to your internal domain.

Affected Version(s)

Rendertron stable < 3.0.0

References

https://github.com/GoogleChrome/rendertron/releases/tag/3...

x_refsource_CONFIRM

CVSS V3.1

Score:

3.5

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 23, 2021
Vulnerability Reserved
Feb 12, 2020

Collectors

NVD DatabaseMitre Database

Credit

N Suriya Prakash from Cyber Security and Privacy Foundation Pte Ltd