Name | CVE-2022-35583 |
Description | wkhtmlTOpdf 0.12.6 is vulnerable to SSRF which allows an attacker to get initial access into the target's system by injecting iframe tag with initial asset IP address on it's source. This allows the attacker to takeover the whole infrastructure by accessing their internal assets. |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Vulnerable and fixed packages
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|
wkhtmltopdf (PTS) | jessie, jessie (lts) | 0.12.1-2+deb8u1 | vulnerable |
| stretch (lts), stretch | 0.12.3.2-3+deb9u1 | vulnerable |
| buster (security), buster, buster (lts) | 0.12.5-1+deb10u1 | vulnerable |
| bullseye | 0.12.6-1 | vulnerable |
| sid, trixie, bookworm | 0.12.6-2 | vulnerable |
The information below is based on the following data on fixed versions.
Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
---|
wkhtmltopdf | source | (unstable) | (unfixed) | unimportant | | |
Notes
https://cyber-guy.gitbook.io/cyber-guys-blog/blogs/initial-access-via-pdf-file-silently
https://github.com/wkhtmltopdf/wkhtmltopdf/issues/5249
By design, wkhtmltopdf retrieves external resources. If it is employed inside
a protected network in an automated way, a malicious actor may access internal
resources. A user of wkhtmltopdf should restrict such access.