CVE-2020-14001 (High) detected in kramdown-1.16.2.gem

Question

CVE-2020-14001 (High) detected in kramdown-1.16.2.gem

mend-bolt-for-github opened this issue 4 years ago · 0 comments

mend-bolt-for-github commented 4 years ago

CVE-2020-14001 - High Severity Vulnerability

Vulnerable Library - kramdown-1.16.2.gem

kramdown is yet-another-markdown-parser but fast, pure Ruby, using a strict syntax definition and supporting several common extensions.

Library home page: https://rubygems.org/gems/kramdown-1.16.2.gem

Dependency Hierarchy:

github-pages-175.gem (Root Library)
- jekyll-default-layout-0.1.4.gem
  - jekyll-3.6.3.gem
    - ❌ kramdown-1.16.2.gem (Vulnerable Library)

Found in HEAD commit: c29c73eb10d7a4c8c322ad84f2276c7c4c174e94

Found in base branch: master

Vulnerability Details

The kramdown gem before 2.3.0 for Ruby processes the template option inside Kramdown documents by default, which allows unintended read access (such as template="/etc/passwd") or unintended embedded Ruby code execution (such as a string that begins with template="string://<%= `). NOTE: kramdown is used in Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum.

Publish Date: 2020-07-17

URL: CVE-2020-14001

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14001

Release Date: 2020-07-17

Fix Resolution: kramdown - 2.3.0

Step up your Open Source Security Game with WhiteSource here