GHSA-mqm2-cgpr-p4m6
Suggest an improvement- Source
- https://github.com/advisories/GHSA-mqm2-cgpr-p4m6
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/08/GHSA-mqm2-cgpr-p4m6/GHSA-mqm2-cgpr-p4m6.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-mqm2-cgpr-p4m6
- Aliases
- Published
- 2020-08-07T22:27:41Z
- Modified
- 2024-02-18T05:31:44.438590Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Unintended read access in kramdown gem
- Details
-
The kramdown gem before 2.3.0 for Ruby processes the template option inside Kramdown documents by default, which allows unintended read access (such as template="/etc/passwd") or unintended embedded Ruby code execution (such as a string that begins with template="string://<%= `). NOTE: kramdown is used in Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum.
- Database specific
{ "nvd_published_at": "2020-07-17T16:15:00Z", "severity": "CRITICAL", "cwe_ids": [ "CWE-862" ], "github_reviewed": true, "github_reviewed_at": "2020-08-07T22:27:22Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2020-14001
- https://github.com/gettalong/kramdown/commit/1b8fd33c3120bfc6e5164b449e2c2fc9c9306fde
- https://github.com/advisories/GHSA-mqm2-cgpr-p4m6
- https://github.com/gettalong/kramdown
- https://github.com/gettalong/kramdown/compare/REL_2_2_1...REL_2_3_0
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/kramdown/CVE-2020-14001.yml
- https://kramdown.gettalong.org
- https://kramdown.gettalong.org/news.html
- https://lists.apache.org/thread.html/r96df7899fbb456fe2705882f710a0c8e8614b573fbffd8d12e3f54d2@%3Cnotifications.fluo.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2020/08/msg00014.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ENMMGKHRQIZ3QKGOMBBBGB6B4LB5I7NQ
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KBLTGBYU7NKOUOHDKVCU4GFZMGA6BP4L
- https://rubygems.org/gems/kramdown
- https://security.netapp.com/advisory/ntap-20200731-0004
- https://usn.ubuntu.com/4562-1
- https://www.debian.org/security/2020/dsa-4743
Affected packages
RubyGems / kramdown
Package
- Name
- kramdown
- Purl
- pkg:gem/kramdown
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.3.0
Affected versions
0.*
0.1.0
0.2.0
0.3.0
0.4.0
0.5.0
0.6.0
0.7.0
0.8.0
0.9.0
0.10.0
0.11.0
0.12.0
0.13.1
0.13.2
0.13.3
0.13.4
0.13.5
0.13.6
0.13.7
0.13.8
0.14.0
0.14.1
0.14.2
1.*
1.0.0
1.0.1
1.0.2
1.1.0
1.2.0
1.3.0
1.3.1
1.3.2
1.3.3
1.4.0
1.4.1
1.4.2
1.5.0
1.6.0
1.7.0
1.8.0
1.9.0
1.10.0
1.11.0
1.11.1
1.12.0
1.13.0
1.13.1
1.13.2
1.14.0
1.15.0
1.16.0
1.16.1
1.16.2
1.17.0
2.*
2.0.0.beta1
2.0.0.beta2
2.0.0
2.1.0
2.2.0
2.2.1