Open imhunterand opened 1 year ago
A flaw was found in rubygem-kramdown. Rouge is a syntax highlighter used by kramdown. Restriction of the Rouge formatters to the Rouge::Formatters namespace does not occur when Ruby's const_get() method is called. This can lead to arbitrary classes being instantiated in situations where the application using kramdown, for example, accepts user input to select a Rogue syntax highlighter formatter. The highest threat from this vulnerability when exploited in a vulnerable configuration is to data confidentiality, integrity, and availability.
Developers using rubygem-kramdown: Do not pass user or external input into custom Rouge formatter selection logic.
All other users/system administrators: There is no known mitigation at this time. and approved this pull-request
as merged for patched this issues.
Kramdown before 2.3.1 does not restrict Rouge formatters to the Rouge::Formatters namespace, and thus arbitrary classes can be instantiated.
CVE-2021-28834
GHSA-52p9-v744-mwjj