CVE-2022-35583

NameCVE-2022-35583
DescriptionwkhtmlTOpdf 0.12.6 is vulnerable to SSRF which allows an attacker to get initial access into the target's system by injecting iframe tag with initial asset IP address on it's source. This allows the attacker to takeover the whole infrastructure by accessing their internal assets.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
wkhtmltopdf (PTS)jessie, jessie (lts)0.12.1-2+deb8u1vulnerable
stretch (lts), stretch0.12.3.2-3+deb9u1vulnerable
buster (security), buster, buster (lts)0.12.5-1+deb10u1vulnerable
bullseye0.12.6-1vulnerable
sid, trixie, bookworm0.12.6-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
wkhtmltopdfsource(unstable)(unfixed)unimportant

Notes

https://cyber-guy.gitbook.io/cyber-guys-blog/blogs/initial-access-via-pdf-file-silently
https://github.com/wkhtmltopdf/wkhtmltopdf/issues/5249
By design, wkhtmltopdf retrieves external resources. If it is employed inside
a protected network in an automated way, a malicious actor may access internal
resources. A user of wkhtmltopdf should restrict such access.

Search for package or bug name: Reporting problems