CVE-2024-21527

CVSS 3.1 Score 8.2 of 10 (high)

Details

Published Jul 19, 2024
CWE ID 918

Summary

CVE-2024-21527 is a Server-side Request Forgery (SSRF) vulnerability affecting versions of github.com/gotenberg/gotenberg/v8/pkg/gotenberg, github.com/gotenberg/gotenberg/v8/pkg/modules/chromium, and github.com/gotenberg/gotenberg/v8/pkg/modules/webhook before version 8.1.0. An attacker can exploit this vulnerability by making a request to the /convert/html endpoint with a localhost file, such as <iframe src="\\\\localhost/etc/passwd">. This leads to local file inclusion, potentially allowing the attacker to read sensitive files on the host system. A workaround involves using the --chromium-deny-list and --chromium-allow-list flags as alternatives.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share