Bug 1858395 (CVE-2020-14001)
| Summary: | CVE-2020-14001 rubygem-kramdown: processing template options inside documents allows unintended read access or embedded Ruby code execution | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED NOTABUG | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | ktdreyer, ruby-maint, vondruch |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | rubygem-kramdown 2.3.0 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in rubygem-kramdown in versions prior to 2.3.0. The template option allows unintended read access or embedded Ruby code execution which is enabled in Kramdown by default. The highest threat from this vulnerability is to data confidentiality and integrity.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-11-02 17:15:33 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1858414, 1858415, 1858416 | ||
| Bug Blocks: | 1858397 | ||
|
Description
Guilherme de Almeida Suckevicz
2020-07-17 19:46:07 UTC
Created rubygem-kramdown tracking bugs for this issue: Affects: epel-7 [bug 1858415] Affects: fedora-all [bug 1858414] Upstream advisory: https://kramdown.gettalong.org/news.html Statement: Rubygem-kramdown is not shipped in Red Hat Enterprise Linux 8 and is only used as a buildtime dependency only. Customers are not at risk for exploitation of this flaw. |