Vulnerability Description
In Gotenberg through 6.2.1, insecure permissions for tini (writable by user gotenberg) potentially allow an attacker to overwrite the file, which can lead to denial of service or code execution.
CVSS Score
9.8
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Thecodingmachine | Gotenberg | <= 6.2.1 |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/160744/Gotenberg-6.2.0-Traversal-Code-ExecuThird Party AdvisoryVDB Entry
- https://github.com/thecodingmachine/gotenberg/issues/199Third Party Advisory
- http://packetstormsecurity.com/files/160744/Gotenberg-6.2.0-Traversal-Code-ExecuThird Party AdvisoryVDB Entry
- https://github.com/thecodingmachine/gotenberg/issues/199Third Party Advisory
FAQ
What is CVE-2020-13452?
CVE-2020-13452 is a vulnerability with a CVSS score of 9.8 (CRITICAL). In Gotenberg through 6.2.1, insecure permissions for tini (writable by user gotenberg) potentially allow an attacker to overwrite the file, which can lead to denial of service or code execution.
How severe is CVE-2020-13452?
CVE-2020-13452 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2020-13452?
Check the references section above for vendor advisories and patch information. Affected products include: Thecodingmachine Gotenberg.