CVE-2021-34435

In Eclipse Theia 0.3.9 to 1.8.1, the "mini-browser" extension allows a user to preview HTML files in an iframe inside the IDE. But with the way it is made it is possible for a previewed HTML file to trigger an RCE. This exploit only happens if a user previews a malicious file..

Published: Sep 1, 2021
Updated: May 9, 2024
CVE: CVE-2021-34435
GHSA: GHSA-v9w2-v7j9-rjpr
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P

CWEs:

CWE-942
CWE-668
CWE-346

Affected Software
References

Software	From	Fixed in
eclipse / theia	0.3.9	1.8.1.x
@theia / mini-browser	0.3.9	1.9.0

https://bugs.eclipse.org/bugs/show_bug.cgi?id=568018
https://github.com/eclipse-theia/theia/commit/0761dcf5fe3c14c27432683d42d2c526ad0cfbd5
https://github.com/eclipse-theia/theia/pull/8759

Vulnerability Database

CVE-2021-34435