RubySec

Providing security resources for the Ruby community

CVE-2021-28834 (kramdown): Remote code execution in Kramdown

ADVISORIES

GEM

kramdown

SEVERITY

CVSS v3: 9.8

UNAFFECTED VERSIONS

  • < 1.16.0

PATCHED VERSIONS

  • >= 2.3.1

DESCRIPTION

Kramdown before 2.3.1 does not restrict Rouge formatters to the Rouge::Formatters namespace, and thus arbitrary classes can be instantiated.