[DRE-maint] Bug#965305: ruby-kramdown: CVE-2020-14001
Salvatore Bonaccorso
carnil at debian.org
Sun Jul 19 07:39:02 BST 2020
Source: ruby-kramdown
Version: 1.17.0-4
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: Debian Security Team <team at security.debian.org>
Control: found -1 1.17.0-1
Hi,
The following vulnerability was published for ruby-kramdown.
CVE-2020-14001[0]:
| The kramdown gem before 2.3.0 for Ruby processes the template option
| inside Kramdown documents by default, which allows unintended read
| access (such as template="/etc/passwd") or unintended embedded Ruby
| code execution (such as a string that begins with
| template="string://<%= `). NOTE: kramdown is used in Jekyll, GitLab
| Pages, GitHub Pages, and Thredded Forum.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-14001
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14001
[1] https://github.com/gettalong/kramdown/commit/1b8fd33c3120bfc6e5164b449e2c2fc9c9306fde
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Pkg-ruby-extras-maintainers
mailing list