CVE-2024-21527 Information

Jul 20, 2024 cve

Description

Versions of the package github.com/gotenberg/gotenberg/v8/pkg/gotenberg before 8.1.0; versions of the package github.com/gotenberg/gotenberg/v8/pkg/modules/chromium before 8.1.0; versions of the package github.com/gotenberg/gotenberg/v8/pkg/modules/webhook before 8.1.0 are vulnerable to Server-side Request Forgery (SSRF) via the /convert/html endpoint when a request is made to a file via localhost such as . By exploiting this vulnerability an attacker can achieve local file inclusion allowing of sensitive files read on the host system. Workaround An alternative is using either or both –chromium-deny-list and –chromium-allow-list flags.</p> <h2 id="reference">Reference</h2> <p><a href="https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGOTENBERGGOTENBERGV8PKGGOTENBERG-7537081"><em><strong>https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGOTENBERGGOTENBERGV8PKGGOTENBERG-7537081</strong></em></a> <a href="https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGOTENBERGGOTENBERGV8PKGMODULESCHROMIUM-7537082"><em><strong>https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGOTENBERGGOTENBERGV8PKGMODULESCHROMIUM-7537082</strong></em></a> <a href="https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGOTENBERGGOTENBERGV8PKGMODULESWEBHOOK-7537083"><em><strong>https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGOTENBERGGOTENBERGV8PKGMODULESWEBHOOK-7537083</strong></em></a> <a href="https://github.com/gotenberg/gotenberg/releases/tag/v8.1.0"><em><strong>https://github.com/gotenberg/gotenberg/releases/tag/v8.1.0</strong></em></a> <a href="https://github.com/gotenberg/gotenberg/commit/ad152e62e5124b673099a9103eb6e7f933771794"><em><strong>https://github.com/gotenberg/gotenberg/commit/ad152e62e5124b673099a9103eb6e7f933771794</strong></em></a> <a href="https://gist.github.com/filipochnik/bc88a3d1cc17c07cec391ee98e1e6356"><em><strong>https://gist.github.com/filipochnik/bc88a3d1cc17c07cec391ee98e1e6356</strong></em></a></p> <style> #share-buttons {display: inline-block; vertical-align: middle; } #share-buttons:after {content: ""; display: block; clear: both;} #share-buttons > div { position: relative; text-align: left; height: 36px; width: 32px; float: left; text-align: center; } #share-buttons > div > svg {height: 16px; fill: #09de25; margin-top: 10px;} #share-buttons > div:hover {cursor: pointer;} #share-buttons > div.facebook:hover > svg {fill: #09ad1e;} #share-buttons > div.twitter:hover > svg {fill: #09ad1e;} #share-buttons > div.linkedin:hover > svg {fill: #09ad1e;} #share-buttons > div.pinterest:hover > svg {fill: #09ad1e;} #share-buttons > div.gplus:hover > svg {fill: #09ad1e;} #share-buttons > div.mail:hover > svg {fill: #09ad1e;} #share-buttons > div.instagram:hover > svg {fill: #09ad1e;} #share-buttons > div.facebook > svg {height: 18px; margin-top: 9px;} #share-buttons > div.twitter > svg {height: 20px; margin-top: 8px;} #share-buttons > div.linkedin > svg {height: 19px; margin-top: 7px;} #share-buttons > div.pinterest > svg {height: 20px; margin-top: 9px;} #share-buttons > div.mail > svg {height: 14px; margin-top: 11px;} </style> <span style="color: limegreen;">Share on: </span><div id="share-buttons"> <div class="facebook" title="Share this on Facebook" onclick="window.open('http://www.facebook.com/share.php?u=https:\/\/jamesbrine.com.au\/cve-2024-21527-information\/');"><svg viewBox="0 0 1792 1792" xmlns="http://www.w3.org/2000/svg"><path d="M1343 12v264h-157q-86 0-116 36t-30 108v189h293l-39 296h-254v759h-306v-759h-255v-296h255v-218q0-186 104-288.5t277-102.5q147 0 228 12z"/></svg></div> <div class="twitter" title="Share this on Twitter" onclick="window.open('http://twitter.com/home?status=https:\/\/jamesbrine.com.au\/cve-2024-21527-information\/');"><svg viewBox="0 0 1792 1792" xmlns="http://www.w3.org/2000/svg"><path d="M1684 408q-67 98-162 167 1 14 1 42 0 130-38 259.5t-115.5 248.5-184.5 210.5-258 146-323 54.5q-271 0-496-145 35 4 78 4 225 0 401-138-105-2-188-64.5t-114-159.5q33 5 61 5 43 0 85-11-112-23-185.5-111.5t-73.5-205.5v-4q68 38 146 41-66-44-105-115t-39-154q0-88 44-163 121 149 294.5 238.5t371.5 99.5q-8-38-8-74 0-134 94.5-228.5t228.5-94.5q140 0 236 102 109-21 205-78-37 115-142 178 93-10 186-50z"/></svg></div> <div class="linkedin" title="Share this on Linkedin" onclick="window.open('https://www.linkedin.com/shareArticle?mini=true&url=https:\/\/jamesbrine.com.au\/cve-2024-21527-information\/&title=&summary=&source=');"><svg viewBox="0 0 1792 1792" xmlns="http://www.w3.org/2000/svg"><path d="M477 625v991h-330v-991h330zm21-306q1 73-50.5 122t-135.5 49h-2q-82 0-132-49t-50-122q0-74 51.5-122.5t134.5-48.5 133 48.5 51 122.5zm1166 729v568h-329v-530q0-105-40.5-164.5t-126.5-59.5q-63 0-105.5 34.5t-63.5 85.5q-11 30-11 81v553h-329q2-399 2-647t-1-296l-1-48h329v144h-2q20-32 41-56t56.5-52 87-43.5 114.5-15.5q171 0 275 113.5t104 332.5z"/></svg></div> <div class="mail" title="Share this through Email" onclick="window.open('mailto:?&body=https:\/\/jamesbrine.com.au\/cve-2024-21527-information\/');"><svg viewBox="0 0 1792 1792" xmlns="http://www.w3.org/2000/svg"><path d="M1792 710v794q0 66-47 113t-113 47h-1472q-66 0-113-47t-47-113v-794q44 49 101 87 362 246 497 345 57 42 92.5 65.5t94.5 48 110 24.5h2q51 0 110-24.5t94.5-48 92.5-65.5q170-123 498-345 57-39 100-87zm0-294q0 79-49 151t-122 123q-376 261-468 325-10 7-42.5 30.5t-54 38-52 32.5-57.5 27-50 9h-2q-23 0-50-9t-57.5-27-52-32.5-54-38-42.5-30.5q-91-64-262-182.5t-205-142.5q-62-42-117-115.5t-55-136.5q0-78 41.5-130t118.5-52h1472q65 0 112.5 47t47.5 113z"/></svg></div> </div> <script async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script> <ins class="adsbygoogle" style="display:block" data-ad-format="fluid" data-ad-layout-key="-gu-18+5g-2f-83" data-ad-client="ca-pub-8803350446980282" data-ad-slot="1897330987"></ins> <script> (adsbygoogle = window.adsbygoogle || []).push({}); </script> </article> </div> </div> </body> </html>