Bug 1209953

Summary: rubygem-redcarpet: possible XSS of untrusted markdown if autolink extension is enabled
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: mhicks
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Redcarpet 3.2.3 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:40:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1209954, 1209955    
Bug Blocks:    

Description Vasyl Kaigorodov 2015-04-08 13:54:47 UTC 
redcarpet versions before 3.2.3 allow for possible XSS of untrusted markdown if autolink extension is enabled.

Upstream fix: https://github.com/vmg/redcarpet/commit/e5a10516d07114d582d13b9125b733008c61c242

CVE request: http://www.openwall.com/lists/oss-security/2015/04/07/11
Comment 1 Vasyl Kaigorodov 2015-04-08 13:55:12 UTC 
Created rubygem-redcarpet tracking bugs for this issue:

Affects: fedora-all [bug 1209954]
Affects: epel-all [bug 1209955]
Comment 2 Vasyl Kaigorodov 2015-07-02 08:44:47 UTC 
CVE-2015-5147 was assigned to another issue in rubygem-redcarpet, which does not affect Fedora/EPEL packages:

http://www.openwall.com/lists/oss-security/2015/06/30/10

Removing alias in this Bugzilla.
Comment 3 Product Security DevOps Team 2019-06-08 02:40:43 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.