CVSS v3.x: 10.0 (Critical)
- >= 0.4.0
Applications using Asciidoctor (Ruby)
(prior to version 0.4.0), which render user-supplied input in AsciiDoc markup, may
allow an attacker to execute arbitrary system commands on the host operating system.
This attack is possible even when
allow-uri-read is disabled!
The vulnerability has been fixed in commit c7ea001 (and further improved in cbaccf3), which is included in version 0.4.0.
require 'asciidoctor/include_ext' class Asciidoctor::IncludeExt::IncludeProcessor # Overrides superclass private method to mitigate Command Injection # vulnerability in asciidoctor-include-ext <0.4.0. def target_uri?(target) target.downcase.start_with?('http://', 'https://') \ && URI.parse(target).is_a?(URI::HTTP) rescue URI::InvalidURIError false end end