CVE-2020-13452

Published: Jan 7, 2021Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

In Gotenberg through 6.2.1, insecure permissions for tini (writable by user gotenberg) potentially allow an attacker to overwrite the file, which can lead to denial of service or code execution.

Affected (1)

Products: Thecodingmachine: Gotenberg

Thecodingmachine

1 product

Gotenberg

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Thecodingmachine Gotenberg	Up to 6.2.1

Related CWEs

CWE-276

Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

References (4)

http://packetstormsecurity.com/files/160744/Gotenberg-6.2.0-Traversal-Code-Execution-Insecure-Permissions.html

Source: cve@mitre.org

Third Party AdvisoryVDB Entry

https://github.com/thecodingmachine/gotenberg/issues/199

Source: cve@mitre.org

Third Party Advisory

http://packetstormsecurity.com/files/160744/Gotenberg-6.2.0-Traversal-Code-Execution-Insecure-Permissions.html

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

https://github.com/thecodingmachine/gotenberg/issues/199

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.