CVE-2020-26282 : BrowserUp Proxy allows you to manipulate HTTP requests and responses, capture HTTP content, and export performance data

BrowserUp Proxy allows you to manipulate HTTP requests and responses, capture HTTP content, and export performance data as a HAR file. BrowserUp Proxy works well as a standalone proxy server, but it is especially useful when embedded in Selenium tests. A Server-Side Template Injection was identified in BrowserUp Proxy enabling attackers to inject arbitrary Java EL expressions, leading to unauthenticated Remote Code Execution (RCE) vulnerability. This has been patched in version 2.1.2.

Published 2020-12-24 21:15:13

Updated 2020-12-31 19:03:23

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: Execute code

Exploit prediction scoring system (EPSS) score for CVE-2020-26282

Probability of exploitation activity in the next 30 days: 5.63%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 93 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2020-26282

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.5	HIGH	AV:N/AC:L/Au:N/C:P/I:P/A:P	10.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
10.0	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H	3.9	6.0	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Changed Confidentiality: High Integrity: High Availability: High
10.0	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N	3.9	5.8	GitHub, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Changed Confidentiality: High Integrity: High Availability: None

CWE ids for CVE-2020-26282

CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Assigned by: security-advisories@github.com (Primary)

References for CVE-2020-26282

https://github.com/browserup/browserup-proxy/releases/tag/v2.1.2

Release v2.1.2 · browserup/browserup-proxy · GitHub
Third Party Advisory
https://securitylab.github.com/research/bean-validation-RCE

Bean Stalking: Growing Java beans into RCE - GitHub Security Lab
Exploit;Third Party Advisory
https://github.com/browserup/browserup-proxy/commit/4b38e7a3e20917e5c3329d0d4e9590bed9d578ab

Fix Critical Java EL Injection RCE vulnerability from GHSL-2020-213 · browserup/browserup-proxy@4b38e7a · GitHub
Patch;Third Party Advisory
https://github.com/browserup/browserup-proxy/security/advisories/GHSA-wmfg-55f9-j8hq

Server-Side Template Injection Vulnerability allows Remote Code Execution (RCE) via Java EL Expressions · Advisory · browserup/browserup-proxy · GitHub
Third Party Advisory

Products affected by CVE-2020-26282

Browserup » Browserup Proxy
Versions before (<) 2.1.2
cpe:2.3:a:browserup:browserup_proxy:*:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2020-26282

Exploit prediction scoring system (EPSS) score for CVE-2020-26282

CVSS scores for CVE-2020-26282

CWE ids for CVE-2020-26282

References for CVE-2020-26282

Products affected by CVE-2020-26282