Upgrade kramdown package used in Website Gemfile.lock to version 2.3.0+ to fix Remote Code Execution CVE-2020-14001

sudgithub8 opened this issue 2 years ago · 0 comments

sudgithub8 commented 2 years ago

The Gemfile.lock for website code uses kramdown (1.15.0) https://github.com/hashicorp/serf/blob/master/website/Gemfile.lock#L54 which is vulnerable to Remote Code Execution CVE-2020-14001 - https://security.snyk.io/vuln/SNYK-RUBY-KRAMDOWN-585939.

As a fix, we need to upgrade the kramdown package used in Website Gemfile.lock to version 2.3.0+.