Description

Versions of the package github.com/gotenberg/gotenberg/v8/pkg/gotenberg before 8.1.0; versions of the package github.com/gotenberg/gotenberg/v8/pkg/modules/chromium before 8.1.0; versions of the package github.com/gotenberg/gotenberg/v8/pkg/modules/webhook before 8.1.0 are vulnerable to Server-side Request Forgery (SSRF) via the /convert/html endpoint when a request is made to a file via localhost, such as <iframe src="\\localhost/etc/passwd">. By exploiting this vulnerability, an attacker can achieve local file inclusion, allowing of sensitive files read on the host system. Workaround An alternative is using either or both --chromium-deny-list and --chromium-allow-list flags.

INFO

Published Date :

2024-07-19T05:00:04.457Z

Last Modified :

2024-09-05T13:26:11.327Z

Source :

snyk
AFFECTED PRODUCTS

The following products are affected by CVE-2024-21527 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-21527.

URL Resource
https://gist.github.com/filipochnik/bc88a3d1cc17c07cec391ee98e1e6356 cve-icon cve-icon cve-icon
https://github.com/gotenberg/gotenberg/commit/ad152e62e5124b673099a9103eb6e7f933771794 cve-icon cve-icon cve-icon
https://github.com/gotenberg/gotenberg/releases/tag/v8.1.0 cve-icon cve-icon cve-icon
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGOTENBERGGOTENBERGV8PKGGOTENBERG-7537081 cve-icon cve-icon cve-icon
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGOTENBERGGOTENBERGV8PKGMODULESCHROMIUM-7537082 cve-icon cve-icon cve-icon
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGOTENBERGGOTENBERGV8PKGMODULESWEBHOOK-7537083 cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact