Kramdown before 2.3.1 does not restrict Rouge formatters to the Rouge::Formatters namespace, and thus arbitrary classes can be instantiated.
References and upstream patch:
Created rubygem-kramdown tracking bugs for this issue:
Affects: epel-7 [bug 1941046]
Affects: fedora-all [bug 1941045]
Red Hat supported products are not affected by this flaw because they do not ship rubygem-kramdown.
This flaw has been marked as Moderate because the victim application would need to be configured to pass external input strings to the vulnerable code. This seems to be an unlikely configuration.
Developers using rubygem-kramdown: Do not pass user or external input into custom Rouge formatter selection logic.
All other users/system administrators: There is no known mitigation at this time.