Gotenberg Unauthenticated File Read Vulnerability via Chromium URL Routes

A vulnerability in Gotenberg, a Docker-based API for PDF processing, allows unauthenticated users to read arbitrary files from the server's temporary directory through the '/forms/chromium/convert/url' and '/forms/chromium/screenshot/url' routes. This issue affects Gotenberg versions prior to 8.32.0. The vulnerability arises because the default deny-list for file URLs in Chromium exempts 'file:///tmp/', enabling access to request-local assets. However, the URL routes do not implement the same scope guard, allowing exploitation. The vulnerability can be exploited to enumerate the '/tmp/' directory and access raw source files of other users' conversions, which are then returned as PDF documents.

Impact

Exploitation allows for unauthorized file reading from the server's temporary directory, including sensitive user-uploaded content from other in-flight conversion requests, which can be exfiltrated as rendered PDF files. In multi-tenant environments, this could lead to cross-tenant document theft.

Reproduction

The vulnerability can be reproduced by sending a request to the '/forms/chromium/convert/url' or '/forms/chromium/screenshot/url' routes with a 'file:///tmp/' URL. This can be done using the Gotenberg Docker image without authentication. Once the request is sent, the response will include the contents of the targeted file, demonstrating the unauthorized access.

Remediation

Users are advised to update Gotenberg to version 8.32.0 or later, where this vulnerability has been fixed.