Gotenberg is a Docker-powered stateless API for PDF files. In versions 8.30.1 and earlier, the metadata write endpoint validates metadata keys for control characters but leaves metadata values unsanitized. A newline character in a metadata value splits the ExifTool stdin line into two separate arguments, allowing injection of arbitrary ExifTool pseudo-tags such as -FileName, -Directory, -SymLink, and -HardLink. This is a bypass of the incomplete key-sanitization fix introduced in v8.30.1. An unauthenticated attacker can rename or move any PDF being processed to an arbitrary path in the container filesystem, overwrite arbitrary files, or create symlinks and hard links at arbitrary paths.
The metadata writing endpoint validates metadata keys for control characters, however metadata values remain unsanitized. Placing a newline character in a metadata value causes the ExifTool stdin input to be split into two separate arguments. In this way, an attacker can inject arbitrary ExifTool pseudo-tags, such as -FileName, -Directory, -SymLink or -HardLink. This is a bypass of the incomplete key validation patch introduced in version 8.30.1.
An unauthorized attacker can rename or move the processed PDF file to any location in the container's file system, overwrite arbitrary files, and create symlinks and hard links under arbitrary paths, which may lead to further integrity violations of the containerized environment.
Gotenberg should be updated to a version containing the patch available in commit 405f1069c026bb08f319fb5a44e5c67c33208318. Details are available in the vendor's references (GitHub Security Advisory GHSA-q7r4-hc83-hf2q).
Gotenberg (Thecodingmachine) in versions 8.30.1 and earlier
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:HThecodingmachine Gotenberg
APPThecodingmachine< 8.31.0
Related vulnerabilities
SSRF w Gotenberg — ominięcie deny-list przez IPv6-mapped adresy
Gotenberg: command injection w endpoincie zapisu metadanych PDF via ExifTool
An incomplete-cleanup vulnerability in the Office rendering engine of Gotenberg through 6.2.1 allows an attack...
A directory traversal vulnerability in file upload function of Gotenberg through 6.2.1 allows an attacker to u...
In Gotenberg through 6.2.1, insecure permissions for tini (writable by user gotenberg) potentially allow an at...