5 matches found
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the convertUrlRoute and screenshotUrlRoute processes. An attacker can access sensitive files belonging to other users' in-flight conversion requests by submitting specially crafted file:// URLs pointi...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the extraHttpHeaders field in the /forms/chromium/screenshot/url endpoint, where user-supplied scope patterns are compiled without a proper timeout. An attacker can cause the...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the extraHttpHeaders field in the /forms/chromium/screenshot/url endpoint, where user-supplied scope patterns are compiled without a proper timeout. An attacker can cause the...
Allocation of Resources Without Limits or Throttling
Overview github.com/gotenberg/gotenberg/v7/pkg/modules/chromium is a Docker-powered stateless API for PDF files. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the extraHttpHeaders field in the /forms/chromium/screenshot/url endpoint,...
GHSA-FMWG-QCQH-M992 Gotenberg Vulnerable to ReDoS via extraHttpHeaders scope feature
Summary Gotenberg uses dlclark/regexp2 to compile user-supplied scope patterns without setting a proper timeout. Users with access to features using this logic can hang workers indefinitely. Details Gotenberg uses dlclark/regexp2 to compile user-supplied scope patterns...