Bug 1858395 (CVE-2020-14001) - CVE-2020-14001 rubygem-kramdown: processing template options inside documents allows unintended read access or embedded Ruby code execution
Summary: CVE-2020-14001 rubygem-kramdown: processing template options inside documents...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2020-14001
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1858414 1858415 1858416
Blocks: 1858397
TreeView+ depends on / blocked
 
Reported: 2020-07-17 19:46 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-11-02 17:15 UTC (History)
3 users (show)

Fixed In Version: rubygem-kramdown 2.3.0
Clone Of:
Environment:
Last Closed: 2021-11-02 17:15:33 UTC
Embargoed:

Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2020-07-17 19:46:07 UTC 
The kramdown gem before 2.3.0 for Ruby processes the template option inside Kramdown documents by default, which allows unintended read access (such as template="/etc/passwd") or unintended embedded Ruby code execution (such as a string that begins with template="string://<%= `). NOTE: kramdown is used in Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum.

Reference and upstream commit:
https://github.com/gettalong/kramdown/commit/1b8fd33c3120bfc6e5164b449e2c2fc9c9306fde
Comment 2 Todd Cullum 2020-07-17 21:25:51 UTC 
Created rubygem-kramdown tracking bugs for this issue:

Affects: epel-7 [bug 1858415]
Affects: fedora-all [bug 1858414]
Comment 7 Todd Cullum 2020-07-20 19:33:59 UTC 
Upstream advisory: https://kramdown.gettalong.org/news.html
Comment 8 Eric Christensen 2020-07-21 20:43:26 UTC 
Statement:

Rubygem-kramdown is not shipped in Red Hat Enterprise Linux 8 and is only used as a buildtime dependency only. Customers are not at risk for exploitation of this flaw.
Note You need to log in before you can comment on or make changes to this bug.