wkhtmlTOpdf 0.12.6 is vulnerable to SSRF which allows an attacker to get initial access into the target's system by injecting iframe tag with initial asset IP address on it's source. This allows the attacker to takeover the whole infrastructure by accessing their internal assets. https://wkhtmltopdf.org/ https://drive.google.com/file/d/1LAmf_6CJLk5qDp0an2s_gVQ0TN2wmht5/view?usp=sharing https://cyber-guy.gitbook.io/cyber-guys-blog/blogs/initial-access-via-pdf-file-silently
Created wkhtmltopdf tracking bugs for this issue: Affects: epel-7 [bug 2120553] Affects: fedora-all [bug 2120552]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.