CVE-2022-35583: 
NixOS vulnerability analysis and mitigation

wkhtmlTOpdf 0.12.6 contains a Server-Side Request Forgery (SSRF) vulnerability that was disclosed on August 22, 2022. The vulnerability allows an attacker to gain initial access to the target system by injecting an iframe tag with an internal asset IP address as its source. This vulnerability affects multiple versions of wkhtmltopdf across various operating systems and distributions (NVD, Ubuntu).

The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (Critical), with the following metrics: Attack Vector: Network, Attack Complexity: Low, Privileges Required: None, User Interaction: None, Scope: Unchanged, and High impact on Confidentiality, Integrity, and Availability. The core issue stems from wkhtmltopdf's design, which retrieves external resources when employed inside a protected network in an automated way (Debian).

The exploitation of this vulnerability could allow attackers to take over the entire infrastructure by accessing internal assets. When wkhtmltopdf is deployed within a protected network, attackers can leverage this vulnerability to access internal resources, potentially leading to a complete system compromise (MITRE).

As of July 2023, no official fix has been made available by the upstream maintainers. The issue is not considered a wkhtmltopdf problem but rather an application issue where wkhtmltopdf is used without properly sanitizing user-supplied HTML/JS input. Users should restrict access to external resources when employing wkhtmltopdf in protected networks (Ubuntu).