Home > Vulnerability Database > CVE-2024-21527

Mend.io Vulnerability Database

CVE-2024-21527

Good to know:

Date: July 19, 2024

Versions of the package github.com/gotenberg/gotenberg/v8/pkg/gotenberg before 8.1.0; versions of the package github.com/gotenberg/gotenberg/v8/pkg/modules/chromium before 8.1.0; versions of the package github.com/gotenberg/gotenberg/v8/pkg/modules/webhook before 8.1.0 are vulnerable to Server-side Request Forgery (SSRF) via the /convert/html endpoint when a request is made to a file via localhost, such as <iframe src="\\localhost/etc/passwd">. By exploiting this vulnerability, an attacker can achieve local file inclusion, allowing of sensitive files read on the host system. Workaround An alternative is using either or both --chromium-deny-list and --chromium-allow-list flags.

Language: Go

Severity Score

8.2

Related Resources (5)

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-21527

Url: https://gist.github.com/filipochnik/bc88a3d1cc17c07cec391ee98e1e6356

Url: https://github.com/gotenberg/gotenberg/releases/tag/v8.1.0

Url: https://github.com/gotenberg/gotenberg/commit/ad152e62e5124b673099a9103eb6e7f933771794

Url: https://www.mend.io/vulnerability-database/CVE-2024-21527

Severity Score

8.2

Weakness Type (CWE)

Server-Side Request Forgery (SSRF)

CWE-918

Top Fix

Upgrade Version

Upgrade to version github.com/gotenberg/gotenberg-v8.1.0

Learn More

CVSS v3.1

Base Score:	8.2
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-21527

Good to know:

Date: July 19, 2024

Language: Go

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?