ADVISORIES
GEM
SEVERITY
CVSS v3.x: 10.0 (Critical)
PATCHED VERSIONS
- >= 0.4.0
DESCRIPTION
Impact
Applications using Asciidoctor (Ruby)
with asciidoctor-include-ext
(prior to version 0.4.0), which render user-supplied input in AsciiDoc markup, may
allow an attacker to execute arbitrary system commands on the host operating system.
This attack is possible even when allow-uri-read is disabled!
Patches
The vulnerability has been fixed in commit c7ea001 (and further improved in cbaccf3), which is included in version 0.4.0.
Workarounds
require 'asciidoctor/include_ext'
class Asciidoctor::IncludeExt::IncludeProcessor
# Overrides superclass private method to mitigate Command Injection
# vulnerability in asciidoctor-include-ext <0.4.0.
def target_uri?(target)
target.downcase.start_with?('http://', 'https://') \
&& URI.parse(target).is_a?(URI::HTTP)
rescue URI::InvalidURIError
false
end
end
References
- https://sakurity.com/blog/2015/02/28/openuri.html