CVE-2022-24803 (asciidoctor-include-ext): Command Injection vulnerability in asciidoctor-include-ext

Command Injection vulnerability in asciidoctor-include-ext

Published: March 31, 2022

SECURITY IDENTIFIERS

CVE: CVE-2022-24803 (NVD)
GHSA: GHSA-v222-6mr4-qj29
Vendor Advisory: https://github.com/jirutka/asciidoctor-include-ext/security/advisories/GHSA-v222-6mr4-qj29

GEM

asciidoctor-include-ext

SEVERITY

CVSS v3.x: 10.0 (Critical)

PATCHED VERSIONS

>= 0.4.0

DESCRIPTION

Impact

Applications using Asciidoctor (Ruby) with asciidoctor-include-ext (prior to version 0.4.0), which render user-supplied input in AsciiDoc markup, may allow an attacker to execute arbitrary system commands on the host operating system. This attack is possible even when allow-uri-read is disabled!

Patches

The vulnerability has been fixed in commit c7ea001 (and further improved in cbaccf3), which is included in version 0.4.0.

Workarounds

require &apos;asciidoctor/include_ext&apos;

class Asciidoctor::IncludeExt::IncludeProcessor
  # Overrides superclass private method to mitigate Command Injection
  # vulnerability in asciidoctor-include-ext &lt;0.4.0.
  def target_uri?(target)
    target.downcase.start_with?(&apos;http://&apos;, &apos;https://&apos;) \
      &amp;&amp; URI.parse(target).is_a?(URI::HTTP)
  rescue URI::InvalidURIError
    false
  end
end

References

https://sakurity.com/blog/2015/02/28/openuri.html

RubySec