Bug 1941044 (CVE-2021-28834) - CVE-2021-28834 rubygem-kramdown: allows arbitrary classes to be instantiated
Summary: CVE-2021-28834 rubygem-kramdown: allows arbitrary classes to be instantiated
Alias: CVE-2021-28834
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1941045 1941046 1941650 1941651
Blocks: 1941047
TreeView+ depends on / blocked
Reported: 2021-03-19 19:59 UTC by Guilherme de Almeida Suckevicz
Modified: 2022-04-17 21:14 UTC (History)
4 users (show)

Fixed In Version: rubygem-kramdown 2.3.1
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in rubygem-kramdown. Rouge is a syntax highlighter used by kramdown. Restriction of the Rouge formatters to the Rouge::Formatters namespace does not occur when Ruby's const_get() method is called. This can lead to arbitrary classes being instantiated in situations where the application using kramdown, for example, accepts user input to select a Rogue syntax highlighter formatter. The highest threat from this vulnerability when exploited in a vulnerable configuration is to data confidentiality, integrity, and availability.
Clone Of:
Last Closed: 2021-11-02 23:26:38 UTC

Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2021-03-19 19:59:48 UTC
Kramdown before 2.3.1 does not restrict Rouge formatters to the Rouge::Formatters namespace, and thus arbitrary classes can be instantiated.

References and upstream patch:

Comment 1 Guilherme de Almeida Suckevicz 2021-03-19 20:00:09 UTC
Created rubygem-kramdown tracking bugs for this issue:

Affects: epel-7 [bug 1941046]
Affects: fedora-all [bug 1941045]

Comment 2 Todd Cullum 2021-03-22 14:38:04 UTC

Red Hat supported products are not affected by this flaw because they do not ship rubygem-kramdown.

Comment 4 Todd Cullum 2021-03-22 15:35:31 UTC
This flaw has been marked as Moderate because the victim application would need to be configured to pass external input strings to the vulnerable code. This seems to be an unlikely configuration.

Comment 5 Todd Cullum 2021-03-22 15:39:16 UTC

Developers using rubygem-kramdown: Do not pass user or external input into custom Rouge formatter selection logic.
All other users/system administrators: There is no known mitigation at this time.

Note You need to log in before you can comment on or make changes to this bug.