CVE-2020-21365: 
NixOS vulnerability analysis and mitigation

Directory traversal vulnerability in wkhtmltopdf through version 0.12.5 allows remote attackers to read local files and disclose sensitive information via a crafted HTML file running with default configurations. The vulnerability was assigned CVE-2020-21365 and was discovered in November 2019 (GitHub Issue).

The vulnerability exists due to insufficient same-origin policy restrictions in wkhtmltopdf, which allows HTML files under the file domain to read any local files on the system. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.5 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The issue is tracked as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) (NVD Database).

An attacker can exploit this vulnerability by crafting a malicious HTML file that uses XMLHttpRequest to read local system files. When this HTML file is processed by wkhtmltopdf, it can access and expose sensitive information from the local filesystem, such as /etc/passwd and other critical system files (GitHub Issue).

The vulnerability has been fixed in version 0.12.6 by disabling local filesystem access by default. For systems that require local filesystem access, it can be explicitly enabled using the --enable-local-file-access or --allow options. Debian 10 users can update to version 0.12.5-1+deb10u1 which includes the security fix (Debian Advisory).