Multiple vulnerabilities in Gotenberg
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2020-13449 CVE-2020-13450 CVE-2020-13451 CVE-2020-13452 |
| CWE-ID | CWE-94 CWE-434 CWE-459 CWE-276 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #1 is available. |
| Vulnerable software Subscribe |
gotenberg Web applications / Other software |
| Vendor | thecodingmachine |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Template Injection
EUVDB-ID: #VU49283
Risk: Medium
CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2020-13449
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to read contents of arbitrary files on the system.
The vulnerability exists due to improper input validation when converting data into PDF format via "/convert/markdown" URL. A remote attacker can pass specially crafted file and read contents of arbitrary files on the system via PDF output.
Install updates from vendor's website.
Vulnerable software versionsgotenberg: 3.0.0 - 6.2.1
External linkshttp://seclists.org/fulldisclosure/2021/Jan/0
http://medium.com/bugbountywriteup/0-day-bug-breaks-multi-million-dollar-system-38c9e31b27e9
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
2) Arbitrary file upload
EUVDB-ID: #VU49284
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-13450
CWE-ID:
CWE-434 - Unrestricted Upload of File with Dangerous Type
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to insufficient validation of file during file upload at the "/convert/markdown" URL. A remote attacker can upload a malicious file and execute it on the server.
MitigationInstall updates from vendor's website.
Vulnerable software versionsgotenberg: 3.0.0 - 6.2.1
External linkshttp://seclists.org/fulldisclosure/2021/Jan/0
http://medium.com/bugbountywriteup/0-day-bug-breaks-multi-million-dollar-system-38c9e31b27e9
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Incomplete cleanup
EUVDB-ID: #VU49285
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-13451
CWE-ID:
CWE-459 - Incomplete cleanup
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to software does not remove temporary files created during previous file uploads. A remote attacker can upload a specially crafted file that will overwrite libreoffice config (profile) files and execute arbitrary code on the system using libreoffice macros.
MitigationInstall updates from vendor's website.
Vulnerable software versionsgotenberg: 3.0.0 - 6.2.1
External linkshttp://seclists.org/fulldisclosure/2021/Jan/0
http://medium.com/bugbountywriteup/0-day-bug-breaks-multi-million-dollar-system-38c9e31b27e9
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Incorrect default permissions
EUVDB-ID: #VU49286
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-13452
CWE-ID:
CWE-276 - Incorrect Default Permissions
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the system.
The vulnerability exists due to incorrect default permissions for the "/tini" file, which is writable by default by the gotenberg user. A remote attacker can overwrite the file using vulnerability #VU49284 and perform a denial of service attack or execute arbitrary code on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsgotenberg: 3.0.0 - 6.2.1
External linkshttp://seclists.org/fulldisclosure/2021/Jan/0
http://medium.com/bugbountywriteup/0-day-bug-breaks-multi-million-dollar-system-38c9e31b27e9
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
