CVE-2021-28834 (Critical) detected in kramdown-2.3.0.gem

[mend-bolt-for-github[bot]]

CVE-2021-28834 - Critical Severity Vulnerability

Vulnerable Library - kramdown-2.3.0.gem

kramdown is yet-another-markdown-parser but fast, pure Ruby, using a strict syntax definition and supporting several common extensions.

Library home page: https://rubygems.org/gems/kramdown-2.3.0.gem

Dependency Hierarchy: - github-pages-207.gem (Root Library) - :x: **kramdown-2.3.0.gem** (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Kramdown before 2.3.1 does not restrict Rouge formatters to the Rouge::Formatters namespace, and thus arbitrary classes can be instantiated.

Publish Date: 2021-03-19

URL: CVE-2021-28834

CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-03-19

Fix Resolution: 2.3.1

---

Step up your Open Source Security Game with Mend here

[secure-code-warrior-for-github[bot]]

Micro-Learning Topic: Vulnerable library (Detected by phrase)

What is this? (2min video)

Use of vulnerable components will introduce weaknesses into the application. Components with published vulnerabilities will allow easy exploitation as resources will often be available to automate the process.

Try this challenge in Secure Code Warrior

[secure-code-warrior-for-github[bot]]

Micro-Learning Topic: Vulnerable library (Detected by phrase)

Matched on "Vulnerable Library"

What is this? (2min video)

Use of vulnerable components will introduce weaknesses into the application. Components with published vulnerabilities will allow easy exploitation as resources will often be available to automate the process.

Try this challenge in Secure Code Warrior