Package | wkhtmltopdf |
---|---|
Version | 0.12.1-2+deb8u1 (jessie), 0.12.3.2-3+deb9u1 (stretch) |
Related CVEs | CVE-2020-21365 |
Directory traversal vulnerability in wkhtmltopdf, a set of CLI utilities to convert html to pdf or image using WebKit, allows remote attackers to read local files and disclose sensitive information via a crafted html file running with the default configurations.
Do note that it’s a breaking change, in the way that the local
filesystem access will be blocked by default. In case you need to enable
or allow it, use --enable-local-file-access
. Another option would be to
use --allow <path>
to specify the folder(s) from which local files are
allowed to be loaded.
For Debian 8 jessie, these problems have been fixed in version 0.12.1-2+deb8u1.
For Debian 9 stretch, these problems have been fixed in version 0.12.3.2-3+deb9u1.
We recommend that you upgrade your wkhtmltopdf packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.