Gotenberg ExifTool Tag Blocklist Bypass Vulnerability Allows Arbitrary File Manipulation

A vulnerability in Gotenberg versions through 8.30.1 allows remote attackers to bypass ExifTool tag name restrictions, enabling them to move, rename, and change permissions of arbitrary files. Gotenberg's blocklist only checks for exact matches of certain tag names, allowing the prefixed 'System:FileName' tag to slip through and be processed by ExifTool, which then renames the file. Additionally, the 'FilePermissions' tag is not blocked at all, allowing permission changes.

Impact

Exploitation of this vulnerability allows for unauthorized file manipulation within the Gotenberg Docker container, including moving files to arbitrary locations, renaming files, and changing file permissions. This could disrupt service for other users and, in cases where Gotenberg shares a Docker volume with other services, potentially affect those services as well.

Reproduction

The vulnerability can be reproduced by sending an HTTP POST request to the Gotenberg server with ExifTool metadata that includes 'System:FileName' and 'System:Directory' tags. The file will be renamed and moved to the specified directory inside the container. This exploit can be automated with a simple script or tool that sends the appropriate HTTP requests.

Remediation

Users can upgrade to Gotenberg version 8.31.0 or later, where this vulnerability has been fixed.