1941044 – (CVE-2021-28834) CVE-2021-28834 rubygem-kramdown: allows arbitrary classes to be instantiated

Bug 1941044 (CVE-2021-28834) - CVE-2021-28834 rubygem-kramdown: allows arbitrary classes to be instantiated

Summary: CVE-2021-28834 rubygem-kramdown: allows arbitrary classes to be instantiated

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2021-28834
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1941045 1941046 1941650 1941651
Blocks:	1941047
TreeView+	depends on / blocked

Reported:	2021-03-19 19:59 UTC by Guilherme de Almeida Suckevicz
Modified:	2022-04-17 21:14 UTC (History)
CC List:	4 users (show)
Fixed In Version:	rubygem-kramdown 2.3.1
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in rubygem-kramdown. Rouge is a syntax highlighter used by kramdown. Restriction of the Rouge formatters to the Rouge::Formatters namespace does not occur when Ruby's const_get() method is called. This can lead to arbitrary classes being instantiated in situations where the application using kramdown, for example, accepts user input to select a Rogue syntax highlighter formatter. The highest threat from this vulnerability when exploited in a vulnerable configuration is to data confidentiality, integrity, and availability.
Clone Of:
Environment:
Last Closed:	2021-11-02 23:26:38 UTC
Embargoed:

Attachments	(Terms of Use)

Description Guilherme de Almeida Suckevicz 2021-03-19 19:59:48 UTC

Kramdown before 2.3.1 does not restrict Rouge formatters to the Rouge::Formatters namespace, and thus arbitrary classes can be instantiated.

References and upstream patch:
https://github.com/gettalong/kramdown/pull/708
https://gitlab.com/gitlab-org/gitlab/-/commit/179329b5c3c118924fb242dc449d06b4ed6ccb66

Comment 1 Guilherme de Almeida Suckevicz 2021-03-19 20:00:09 UTC

Created rubygem-kramdown tracking bugs for this issue:

Affects: epel-7 [bug 1941046]
Affects: fedora-all [bug 1941045]

Comment 2 Todd Cullum 2021-03-22 14:38:04 UTC

Statement:

Red Hat supported products are not affected by this flaw because they do not ship rubygem-kramdown.

Comment 4 Todd Cullum 2021-03-22 15:35:31 UTC

This flaw has been marked as Moderate because the victim application would need to be configured to pass external input strings to the vulnerable code. This seems to be an unlikely configuration.

Comment 5 Todd Cullum 2021-03-22 15:39:16 UTC

Mitigation:

Developers using rubygem-kramdown: Do not pass user or external input into custom Rouge formatter selection logic.
All other users/system administrators: There is no known mitigation at this time.

Note You need to log in before you can comment on or make changes to this bug.