Vulnerabilities > CVE-2020-8902 - Server-Side Request Forgery (SSRF) vulnerability in Google Rendertron

CVSS 4.3 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

LOW

Integrity impact

NONE

Availability impact

NONE

network

low complexity

google

CWE-918

NVD

Published: 2021-02-23

Updated: 2023-11-07

Summary

Rendertron versions prior to 3.0.0 are are susceptible to a Server-Side Request Forgery (SSRF) attack. An attacker can use a specially crafted webpage to force a rendertron headless chrome process to render internal sites it has access to, and display it as a screenshot. Suggested mitigations are to upgrade your rendertron to version 3.0.0, or, if you cannot update, to secure the infrastructure to limit the headless chrome's access to your internal domain.

Vulnerable Configurations

Part	Description	Count
Application	Google Google Rendertron - Google Rendertron 1.0.0 Google Rendertron 1.1.0 Google Rendertron 1.1.1 Google Rendertron 2.0.0	5

Common Weakness Enumeration (CWE)

CWE-918 - Server-Side Request Forgery (SSRF)

References

https://github.com/GoogleChrome/rendertron/releases/tag/3.0.0