CVE-2020-13449 – CVE-2020-13449 is a directory traversal vulnera... (How to Fix)

Q: What is the severity of CVE-2020-13449?

CVE-2020-13449 has a CVSS score of 7.5 (HIGH). CVE-2020-13449 is a directory traversal vulnerability in Gotenberg's Markdown engine that allows attackers to read arbitrary files from the container filesystem. This affects Gotenberg versions through 6.2.1 when processing malicious Markdown files. Organizations using vulnerable Gotenberg instances for document conversion are at risk.

📋 TL;DR

CVE-2020-13449 is a directory traversal vulnerability in Gotenberg's Markdown engine that allows attackers to read arbitrary files from the container filesystem. This affects Gotenberg versions through 6.2.1 when processing malicious Markdown files. Organizations using vulnerable Gotenberg instances for document conversion are at risk.

💻 Affected Systems

Products:

Gotenberg

Versions: through 6.2.1

Operating Systems: All container platforms (Docker, Kubernetes, etc.)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all deployments where Gotenberg processes user-supplied Markdown files. The vulnerability is in the Markdown conversion functionality.

📦 What is this software?

Gotenberg by Thecodingmachine

View all CVEs affecting Gotenberg →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete container compromise leading to sensitive file exfiltration, credential theft, and potential lateral movement within the container environment.

🟠

Likely Case

Unauthorized reading of sensitive configuration files, environment variables, and application secrets stored within the container.

🟢

If Mitigated

Limited impact with proper network segmentation, minimal container permissions, and restricted file system access.

🌐 Internet-Facing: HIGH - Publicly accessible Gotenberg instances can be directly exploited without authentication.

🏢 Internal Only: MEDIUM - Internal attackers or compromised systems could exploit this vulnerability to escalate privileges.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted Markdown files to the vulnerable endpoint. Public proof-of-concept code exists in the Packet Storm references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.2.2 and later

Vendor Advisory: https://github.com/thecodingmachine/gotenberg/issues/199

Restart Required: Yes

Instructions:

1. Update Gotenberg to version 6.2.2 or later. 2. Pull the latest Docker image: docker pull thecodingmachine/gotenberg:latest. 3. Restart your Gotenberg containers. 4. Verify the fix by testing with known exploit payloads.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement input validation to reject Markdown files containing directory traversal sequences

Implement regex filter: /(\.\.\/|\.\.\\)/
Reject any Markdown containing '../' or '..\' patterns

Network Restriction

linux

Restrict Gotenberg access to trusted networks only

iptables -A INPUT -p tcp --dport 3000 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 3000 -j DROP

🧯 If You Can't Patch

Implement strict network segmentation to isolate Gotenberg instances from sensitive systems
Deploy WAF rules to block directory traversal patterns in HTTP requests

🔍 How to Verify

Check if Vulnerable:

Test by sending a Markdown file containing '../etc/passwd' or similar traversal sequences to the Markdown conversion endpoint

Check Version:

docker exec gotenberg_container gotenberg --version

Verify Fix Applied:

Attempt the same traversal attack after patching - it should return an error or sanitized output

📡 Detection & Monitoring

Log Indicators:

HTTP requests containing '../' patterns in Markdown conversion endpoints
Unusual file read operations in container logs
Errors from blocked traversal attempts

Network Indicators:

HTTP POST requests to /convert/markdown with suspicious payloads
Unusual outbound data transfers from Gotenberg containers

SIEM Query:

source="gotenberg" AND ("../" OR "..\\" OR "directory traversal")

📊 Metadata

CVE ID: CVE-2020-13449

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-22

Published: January 7, 2021

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/160744/Gotenberg-6.2.0-Traversal-Code-Execution-Insecure-Permissions.html Exploit,Third Party Advisory,VDB Entry
https://github.com/thecodingmachine/gotenberg/issues/199 Third Party Advisory
http://packetstormsecurity.com/files/160744/Gotenberg-6.2.0-Traversal-Code-Execution-Insecure-Permissions.html Exploit,Third Party Advisory,VDB Entry
https://github.com/thecodingmachine/gotenberg/issues/199 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-13449, you might also want to check these: