First published: Fri Mar 19 2021(Updated: )
Kramdown before 2.3.1 does not restrict Rouge formatters to the Rouge::Formatters namespace, and thus arbitrary classes can be instantiated.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
ubuntu/ruby-kramdown | <1.17.0-4ubuntu0.2 | 1.17.0-4ubuntu0.2 |
ubuntu/ruby-kramdown | <2.3.1 | 2.3.1 |
<2.3.1 | ||
=32 | ||
=33 | ||
=34 | ||
=10.0 | ||
Kramdown Project Kramdown | <2.3.1 | |
Fedoraproject Fedora | =32 | |
Fedoraproject Fedora | =33 | |
Fedoraproject Fedora | =34 | |
Debian Debian Linux | =10.0 | |
redhat/rubygem-kramdown | <2.3.1 | 2.3.1 |
debian/ruby-kramdown | 1.17.0-1+deb10u2 2.3.0-5 2.4.0-2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of CVE-2021-28834 is medium.
The software affected by CVE-2021-28834 is ruby-kramdown version 1.17.0-1+deb10u2, 2.3.0-5, 2.4.0-2, and rubygem-kramdown version up to 2.3.1.
Kramdown before version 2.3.1 does not restrict Rouge formatters to the Rouge::Formatters namespace, allowing arbitrary classes to be instantiated.
To fix CVE-2021-28834, update to kramdown version 2.3.1 or higher.
More information about CVE-2021-28834 can be found on the [CVE website](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28834) and on the [GitHub page](https://github.com/gettalong/kramdown/pull/708).