CVE-2021-23345

Name of the Vulnerable Software and Affected Versions github.com/thecodingmachine/gotenberg (affected versions not specified)

Description The issue allows for Server-side Request Forgery (SSRF) via the "/convert/html" endpoint. This occurs when the src attribute of an HTML element, such as an iframe, refers to an internal system file, for example, <iframe src='file:///etc/passwd'>.

Recommendations As a temporary workaround, consider disabling the "/convert/html" endpoint until a patch is available. Restrict access to internal system files to minimize the risk of exploitation. Avoid using the src attribute in HTML elements within the "/convert/html" endpoint to refer to internal system files until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.