CVE-2020-26282 — CRITICAL (10.0)

Q: How severe is CVE-2020-26282?

CVE-2020-26282 has been rated CRITICAL with a CVSS base score of 10.0/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2020-26282?

Check the references section above for vendor advisories and patch information. Affected products include: Browserup Browserup Proxy.

Vulnerability Description

BrowserUp Proxy allows you to manipulate HTTP requests and responses, capture HTTP content, and export performance data as a HAR file. BrowserUp Proxy works well as a standalone proxy server, but it is especially useful when embedded in Selenium tests. A Server-Side Template Injection was identified in BrowserUp Proxy enabling attackers to inject arbitrary Java EL expressions, leading to unauthenticated Remote Code Execution (RCE) vulnerability. This has been patched in version 2.1.2.

CVSS Score

10.0

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Browserup	Browserup Proxy	< 2.1.2

Related Weaknesses (CWE)

CWE-74

References

https://github.com/browserup/browserup-proxy/commit/4b38e7a3e20917e5c3329d0d4e95PatchThird Party Advisory
https://github.com/browserup/browserup-proxy/releases/tag/v2.1.2Third Party Advisory
https://github.com/browserup/browserup-proxy/security/advisories/GHSA-wmfg-55f9-Third Party Advisory
https://securitylab.github.com/research/bean-validation-RCEExploitThird Party Advisory
https://github.com/browserup/browserup-proxy/commit/4b38e7a3e20917e5c3329d0d4e95PatchThird Party Advisory
https://github.com/browserup/browserup-proxy/releases/tag/v2.1.2Third Party Advisory
https://github.com/browserup/browserup-proxy/security/advisories/GHSA-wmfg-55f9-Third Party Advisory
https://securitylab.github.com/research/bean-validation-RCEExploitThird Party Advisory

FAQ

What is CVE-2020-26282?

CVE-2020-26282 is a vulnerability with a CVSS score of 10.0 (CRITICAL). BrowserUp Proxy allows you to manipulate HTTP requests and responses, capture HTTP content, and export performance data as a HAR file. BrowserUp Proxy works well as a standalone proxy server, but it i...

How severe is CVE-2020-26282?

CVE-2020-26282 has been rated CRITICAL with a CVSS base score of 10.0/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2020-26282?

Check the references section above for vendor advisories and patch information. Affected products include: Browserup Browserup Proxy.