CVE-2020-8902— SSRF in Rendertron
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2020-8902
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
SSRF in Rendertron
Source: NVD (National Vulnerability Database)
Vulnerability Description
Rendertron versions prior to 3.0.0 are are susceptible to a Server-Side Request Forgery (SSRF) attack. An attacker can use a specially crafted webpage to force a rendertron headless chrome process to render internal sites it has access to, and display it as a screenshot. Suggested mitigations are to upgrade your rendertron to version 3.0.0, or, if you cannot update, to secure the infrastructure to limit the headless chrome's access to your internal domain.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
访问控制不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
Rendertron 代码问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Martin Splitt Rendertron是GlobalMartin Splitt开源的一个应用系统提供无头Chrome渲染解决方案,旨在即时渲染和序列化网页 Rendertron versions prior to 3.0.0 存在代码问题漏洞,该漏洞源于攻击者可利用该漏洞可以使用一个特别制作的网页来强迫一个rendertron headless chrome进程渲染它可以访问的内部网站,并以截图的形式显示。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Google LLC | Rendertron | stable ~ 3.0.0 | - |
II. Public POCs for CVE-2020-8902
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2020-8902
请登录查看更多情报信息。
- https://github.com/GoogleChrome/rendertron/releases/tag/3.0.0x_refsource_CONFIRM
- https://nvd.nist.gov/vuln/detail/CVE-2020-8902
IV. Related Vulnerabilities
Same vendor: Google LLC
- CVE-2022-3095
Incorrect parsing of the backslash characters in Dart librar - CVE-2022-3474
Bazel leaks user credentials through the remote assets API - CVE-2022-3421
Privilege escalation in Google Drive for Desktop on MacOS - CVE-2022-3171
Memory handling vulnerability in ProtocolBuffers Java core a - CVE-2022-1941
Out of Memory issue in ProtocolBuffers for cpp and python
Same weakness: CWE-284
- CVE-2026-8233
Dotouch XproUPF access control - CVE-2026-42569
phpvms: /importer authorization bypass causing full database - CVE-2026-42205
Avo: Broken Access Control: Unauthorized Execution of Arbitr - CVE-2026-41487
Langfuse: Improper role-based-access control in Langfuse LLM - CVE-2026-42278
UltraDAG: Smart Account Spending Policy Bypass via Pockets
V. Comments for CVE-2020-8902
No comments yet