Back to search
CVE-2020-14001
Published: Jul 17, 2020
Modified: Aug 4, 2024
PUBLISHED
Description
The kramdown gem before 2.3.0 for Ruby processes the template option inside Kramdown documents by default, which allows unintended read access (such as template="/etc/passwd") or unintended embedded Ruby code execution (such as a string that begins with template="string://<%= `). NOTE: kramdown is used in Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum.
| Vendor | Product | Versions |
|---|---|---|
n/a | n/a | affected n/a |
References
https://github.com/gettalong/kramdown
x_refsource_MISC
https://kramdown.gettalong.org
x_refsource_MISC
https://rubygems.org/gems/kramdown
x_refsource_MISC
https://kramdown.gettalong.org/news.html
x_refsource_CONFIRM
https://github.com/gettalong/kramdown/compare/REL_2_2_1...REL_2_3_0
x_refsource_CONFIRM
https://security.netapp.com/advisory/ntap-20200731-0004/
x_refsource_CONFIRM
[fluo-notifications] 20200808 [GitHub] [fluo-website] ctubbsii opened a new pull request #194: Update gems
mailing-list
x_refsource_MLIST
[debian-lts-announce] 20200809 [SECURITY] [DLA 2316-1] ruby-kramdown security update
mailing-list
x_refsource_MLIST
DSA-4743
vendor-advisory
x_refsource_DEBIAN
FEDORA-2020-f6eee9a2d3
vendor-advisory
x_refsource_FEDORA
FEDORA-2020-5c70d97eca
vendor-advisory
x_refsource_FEDORA
USN-4562-1
vendor-advisory
x_refsource_UBUNTU
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now