Gotenberg Chromium Deny-List Bypass via Case-Insensitive URL Scheme
Gotenberg versions before 8.29.0 are vulnerable to unauthenticated arbitrary file read, where a case-insensitive URL scheme bypasses the Chromium deny-list, allowing attackers to read sensitive files such as /etc/passwd by using mixed-case or uppercase URL schemes like FILE:///etc/passwd, leading to the leakage of sensitive data from the Gotenberg container and bypassing the fix for CVE-2024-21527.
Gotenberg, a popular Docker-based solution for converting HTML, Markdown, and Office documents to PDF, is susceptible to a critical vulnerability in versions prior to 8.29.0. This flaw allows for unauthenticated arbitrary file read due to a bypass in the Chromium deny-list. The vulnerability stems from the application’s failure to enforce case-sensitivity when validating URL schemes against the deny-list, implemented to prevent access to sensitive files. An attacker can exploit this by using…
Detection coverage 2
Detect Gotenberg File Read Bypass via URL Scheme Case Manipulation
highDetects attempts to bypass the Gotenberg Chromium deny-list by using mixed-case or uppercase URL schemes to access local files.
Detect Gotenberg HTML Conversion File Read Bypass via URL Scheme Case Manipulation
highDetects attempts to bypass the Gotenberg Chromium deny-list by using mixed-case or uppercase URL schemes in HTML conversion requests to access local files.
Detection queries are kept inside the platform. Get full rules →