{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/gotenberg--8.30.1/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Gotenberg \u003c= 8.30.1"],"_cs_severities":["critical"],"_cs_tags":["argument-injection","vulnerability","container"],"_cs_type":"advisory","_cs_vendors":["Gotenberg"],"content_html":"\u003cp\u003eGotenberg, a Docker-based solution for converting various document formats to PDF, is vulnerable to an argument injection flaw affecting versions 8.30.1 and earlier. This vulnerability stems from insufficient sanitization of metadata values passed to the ExifTool during PDF processing. Specifically, the application fails to properly sanitize newline characters within metadata values. By exploiting this flaw, an unauthenticated attacker can inject arbitrary ExifTool pseudo-tags, such as \u003ccode\u003e-FileName\u003c/code\u003e, \u003ccode\u003e-Directory\u003c/code\u003e, \u003ccode\u003e-SymLink\u003c/code\u003e, and \u003ccode\u003e-HardLink\u003c/code\u003e, allowing for unauthorized file manipulation, including renaming, moving, overwriting, and creating symbolic or hard links to files within the container\u0026rsquo;s filesystem. The vulnerability is a bypass of an incomplete key sanitization fix introduced in version 8.30.1, highlighting the importance of thorough input validation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious PDF file or uses an existing PDF.\u003c/li\u003e\n\u003cli\u003eThe attacker injects a newline character followed by an ExifTool pseudo-tag (e.g., \u003ccode\u003e-FileName=/tmp/inject_proof\u003c/code\u003e) into a metadata value (e.g., the \u0026lsquo;Title\u0026rsquo; field).\u003c/li\u003e\n\u003cli\u003eThe attacker sends the PDF, along with the crafted metadata, to the Gotenberg \u003ccode\u003e/forms/pdfengines/metadata/write\u003c/code\u003e endpoint via a POST request.\u003c/li\u003e\n\u003cli\u003eGotenberg\u0026rsquo;s \u003ccode\u003eWriteMetadata\u003c/code\u003e function in \u003ccode\u003epkg/modules/exiftool/exiftool.go\u003c/code\u003e processes the metadata.\u003c/li\u003e\n\u003cli\u003eThe unsanitized metadata value is passed to \u003ccode\u003ego-exiftool\u003c/code\u003e\u0026rsquo;s \u003ccode\u003eSetString\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ego-exiftool\u003c/code\u003e writes the key-value pair to ExifTool\u0026rsquo;s stdin using \u003ccode\u003efmt.Fprintln(e.stdin, \u0026quot;-\u0026quot;+k+\u0026quot;=\u0026quot;+str)\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe newline character splits the ExifTool stdin line into two separate arguments, injecting the attacker\u0026rsquo;s pseudo-tag.\u003c/li\u003e\n\u003cli\u003eExifTool executes the injected command (e.g., moving the PDF to \u003ccode\u003e/tmp/inject_proof\u003c/code\u003e).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an unauthenticated attacker to rename or move any PDF being processed to an arbitrary path within the container filesystem, which runs as root by default. This also enables overwriting arbitrary files (e.g., corrupting the \u003ccode\u003e/etc/passwd\u003c/code\u003e file), creating symlinks, and creating hard links. The container filesystem becomes fully exposed to arbitrary file manipulation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply value sanitization parallel to the existing key check in \u003ccode\u003eWriteMetadata\u003c/code\u003e as described in the advisory.\u003c/li\u003e\n\u003cli\u003eImplement detection rules to identify attempts to exploit the vulnerability by monitoring for suspicious characters in HTTP requests to the \u003ccode\u003e/forms/pdfengines/metadata/write\u003c/code\u003e endpoint using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eMonitor for unexpected file modifications within the Gotenberg container, especially the creation or modification of symbolic links and hard links, using \u003ccode\u003efile_event\u003c/code\u003e log source.\u003c/li\u003e\n\u003cli\u003eUpgrade to a patched version of Gotenberg that addresses this vulnerability to prevent exploitation (CVE-2026-40281).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-gotenberg-exiftool-injection/","summary":"Gotenberg version 8.30.1 and earlier is vulnerable to argument injection, where an unauthenticated attacker can inject arbitrary ExifTool pseudo-tags via newline characters in metadata values, leading to arbitrary file manipulation within the container filesystem.","title":"Gotenberg ExifTool Argument Injection via Metadata Values","url":"https://feed.craftedsignal.io/briefs/2024-01-02-gotenberg-exiftool-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Gotenberg \u003c= 8.30.1","version":"https://jsonfeed.org/version/1.1"}