CVE-2017-18353: Authentication Bypass Using an Alternate Path or Channel

December 17, 2018 (updated October 3, 2019)

Rendertron includes an _ah/stop route to shut down the Chrome instance responsible for serving render requests to all users. Visiting this route with a GET request allows any unauthorized remote attacker to disable the core service of the application.

References

bugs.chromium.org/p/chromium/issues/detail?id=759111
nvd.nist.gov/vuln/detail/CVE-2017-18353

Detect and mitigate CVE-2017-18353 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →