Remote code execution in Kramdown
Published: March 29, 2021
SECURITY IDENTIFIERS
- CVE: CVE-2021-28834 (NVD)
- GHSA: GHSA-52p9-v744-mwjj
GEM
SEVERITY
CVSS v3.x: 9.8 (Critical)
UNAFFECTED VERSIONS
< 1.16.0
PATCHED VERSIONS
>= 2.3.1
DESCRIPTION
Kramdown before 2.3.1 does not restrict Rouge formatters to the Rouge::Formatters namespace, and thus arbitrary classes can be instantiated.