Bug 1941044 (CVE-2021-28834)

Summary: CVE-2021-28834 rubygem-kramdown: allows arbitrary classes to be instantiated
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: extras-orphan, ktdreyer, mtasaka, ruby-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: rubygem-kramdown 2.3.1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in rubygem-kramdown. Rouge is a syntax highlighter used by kramdown. Restriction of the Rouge formatters to the Rouge::Formatters namespace does not occur when Ruby's const_get() method is called. This can lead to arbitrary classes being instantiated in situations where the application using kramdown, for example, accepts user input to select a Rogue syntax highlighter formatter. The highest threat from this vulnerability when exploited in a vulnerable configuration is to data confidentiality, integrity, and availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-02 23:26:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1941045, 1941046, 1941650, 1941651    
Bug Blocks: 1941047    

Description Guilherme de Almeida Suckevicz 2021-03-19 19:59:48 UTC 
Kramdown before 2.3.1 does not restrict Rouge formatters to the Rouge::Formatters namespace, and thus arbitrary classes can be instantiated.

References and upstream patch:
https://github.com/gettalong/kramdown/pull/708
https://gitlab.com/gitlab-org/gitlab/-/commit/179329b5c3c118924fb242dc449d06b4ed6ccb66
Comment 1 Guilherme de Almeida Suckevicz 2021-03-19 20:00:09 UTC 
Created rubygem-kramdown tracking bugs for this issue:

Affects: epel-7 [bug 1941046]
Affects: fedora-all [bug 1941045]
Comment 2 Todd Cullum 2021-03-22 14:38:04 UTC 
Statement:

Red Hat supported products are not affected by this flaw because they do not ship rubygem-kramdown.
Comment 4 Todd Cullum 2021-03-22 15:35:31 UTC 
This flaw has been marked as Moderate because the victim application would need to be configured to pass external input strings to the vulnerable code. This seems to be an unlikely configuration.
Comment 5 Todd Cullum 2021-03-22 15:39:16 UTC 
Mitigation:

Developers using rubygem-kramdown: Do not pass user or external input into custom Rouge formatter selection logic.
All other users/system administrators: There is no known mitigation at this time.