Bug 1915370 (CVE-2020-26298) - CVE-2020-26298 rubygem-redcarpet: does not escape HTML when processing quotes which could result in XSS vulnerability
Summary: CVE-2020-26298 rubygem-redcarpet: does not escape HTML when processing quotes...
Keywords:
Status: NEW
Alias: CVE-2020-26298
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 1915372 1915373 1915371 1915374
Blocks: 1915375
TreeView+ depends on / blocked
 
Reported: 2021-01-12 14:23 UTC by Michael Kaplan
Modified: 2023-07-07 08:33 UTC (History)
12 users (show)

Fixed In Version: rubygem-redcarpet 3.5.1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Michael Kaplan 2021-01-12 14:23:18 UTC 
Redcarpet is a Ruby library for Markdown processing. In Redcarpet before version 3.5.1, there is an injection vulnerability which can enable a cross-site scripting attack. In affected versions no HTML escaping was being performed when processing quotes. This applies even when the `:escape_html` option was being used. This is fixed in version 3.5.1 by the referenced commit.

External References:

https://github.com/advisories/GHSA-q3wr-qw3g-3p4h
https://github.com/vmg/redcarpet/blob/master/CHANGELOG.md#version-351-security
https://github.com/vmg/redcarpet/commit/a699c82292b17c8e6a62e1914d5eccc252272793
https://rubygems.org/gems/redcarpet
Comment 1 Michael Kaplan 2021-01-12 14:23:49 UTC 
Created rubygem-redcarpet tracking bugs for this issue:

Affects: epel-all [bug 1915372]
Affects: fedora-all [bug 1915371]
Affects: openstack-rdo [bug 1915373]
Note You need to log in before you can comment on or make changes to this bug.