mapbox.js icon indicating copy to clipboard operation
mapbox.js copied to clipboard
verified publisher icon mapbox

Remote code execution in Kramdown

Open imhunterand opened this issue 3 years ago • 1 comments

Kramdown before 2.3.1 does not restrict Rouge formatters to the Rouge::Formatters namespace, and thus arbitrary classes can be instantiated.

CVE-2021-28834 GHSA-52p9-v744-mwjj

imhunterand avatar Aug 19 '22 13:08 imhunterand

Additional Descriptions of Informations

A flaw was found in rubygem-kramdown. Rouge is a syntax highlighter used by kramdown. Restriction of the Rouge formatters to the Rouge::Formatters namespace does not occur when Ruby's const_get() method is called. This can lead to arbitrary classes being instantiated in situations where the application using kramdown, for example, accepts user input to select a Rogue syntax highlighter formatter. The highest threat from this vulnerability when exploited in a vulnerable configuration is to data confidentiality, integrity, and availability.

Mitigation

Developers using rubygem-kramdown: Do not pass user or external input into custom Rouge formatter selection logic. All other users/system administrators: There is no known mitigation at this time. and approved this pull-request as merged for patched this issues.

imhunterand avatar Sep 24 '22 20:09 imhunterand