Upgrade kramdown to version 2.3.0

Question

Upgrade kramdown to version 2.3.0

Closed this issue 4 years ago · 1 comments

to address high severity security alert from dependabot

Answer 1 · 2020-08-09T18:34:09.000Z

CVE-2020-14001
high severity
Vulnerable versions: < 2.3.0
Patched version: 2.3.0
The kramdown gem before 2.3.0 for Ruby processes the template option inside Kramdown documents by default, which allows unintended read access (such as template="/etc/passwd") or unintended embedded Ruby code execution (such as a string that begins with template="string://<%= `). NOTE: kramdown is used in Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum.