CVE-2021-23345

Published: Feb 26, 2021Modified: Nov 21, 2024

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Exploitability: 3.9 / Impact: 1.4

Source: NVD

Description

All versions of package github.com/thecodingmachine/gotenberg are vulnerable to Server-side Request Forgery (SSRF) via the /convert/html endpoint when the src attribute of an HTML element refers to an internal system file, such as <iframe src='file:///etc/passwd'>.

Affected (1)

Products: Thecodingmachine: Gotenberg

Thecodingmachine

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Thecodingmachine Gotenberg	All versions

Related CWEs

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (4)

https://github.com/thecodingmachine/gotenberg/issues/261

Source: report@snyk.io

ExploitThird Party Advisory

https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMTHECODINGMACHINEGOTENBERG-1062043

Source: report@snyk.io

ExploitThird Party Advisory

https://github.com/thecodingmachine/gotenberg/issues/261

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMTHECODINGMACHINEGOTENBERG-1062043

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.