CVE-2021-3758: 
NixOS vulnerability analysis and mitigation

CVE-2021-3758 is a Server-Side Request Forgery (SSRF) vulnerability identified by CWE-918. The vulnerability was discovered in BookStack's export functionality, where untrusted server fetching could be performed to potentially unknown and user-provided locations, primarily affecting the export feature when loading externally referenced assets (GitHub Commit).

The vulnerability exists in the PDF export functionality where WKHTMLtoPDF and DOMPDF components could perform server-side fetches to untrusted locations. The issue was addressed by implementing a new configuration option 'ALLOWUNTRUSTEDSERVER_FETCHING' which controls external resource fetching behavior. When set to false (default), it prevents both WKHTMLtoPDF and DOMPDF from fetching external resources (GitHub Commit).

The vulnerability could allow an attacker to perform server-side requests to arbitrary locations through the application's export functionality, potentially leading to unauthorized access to internal resources or execution of server-side requests to external systems (GitHub Commit).

The issue was addressed by introducing the 'ALLOWUNTRUSTEDSERVERFETCHING' configuration option. By default, this option is set to false, preventing untrusted server fetching. Organizations can explicitly enable this feature by setting ALLOWUNTRUSTEDSERVERFETCHING=true if required for their use case (GitHub Commit).