Bug 1941044 (CVE-2021-28834)

Summary: CVE-2021-28834 rubygem-kramdown: allows arbitrary classes to be instantiated
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: extras-orphan, ktdreyer, mtasaka, ruby-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: rubygem-kramdown 2.3.1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in rubygem-kramdown. Rouge is a syntax highlighter used by kramdown. Restriction of the Rouge formatters to the Rouge::Formatters namespace does not occur when Ruby's const_get() method is called. This can lead to arbitrary classes being instantiated in situations where the application using kramdown, for example, accepts user input to select a Rogue syntax highlighter formatter. The highest threat from this vulnerability when exploited in a vulnerable configuration is to data confidentiality, integrity, and availability.
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-02 23:26:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1941045, 1941046, 1941650, 1941651    
Bug Blocks: 1941047    

Description Guilherme de Almeida Suckevicz 2021-03-19 19:59:48 UTC
Kramdown before 2.3.1 does not restrict Rouge formatters to the Rouge::Formatters namespace, and thus arbitrary classes can be instantiated.

References and upstream patch:

Comment 1 Guilherme de Almeida Suckevicz 2021-03-19 20:00:09 UTC
Created rubygem-kramdown tracking bugs for this issue:

Affects: epel-7 [bug 1941046]
Affects: fedora-all [bug 1941045]

Comment 2 Todd Cullum 2021-03-22 14:38:04 UTC

Red Hat supported products are not affected by this flaw because they do not ship rubygem-kramdown.

Comment 4 Todd Cullum 2021-03-22 15:35:31 UTC
This flaw has been marked as Moderate because the victim application would need to be configured to pass external input strings to the vulnerable code. This seems to be an unlikely configuration.

Comment 5 Todd Cullum 2021-03-22 15:39:16 UTC

Developers using rubygem-kramdown: Do not pass user or external input into custom Rouge formatter selection logic.
All other users/system administrators: There is no known mitigation at this time.