CVE-2021-28834

high-risk
Published 2021-03-19

Kramdown before 2.3.1 does not restrict Rouge formatters to the Rouge::Formatters namespace, and thus arbitrary classes can be instantiated.

Do I need to act?

~
2.6% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: 0b0a9e072f9a76e59fe2bbafdf343118fb27c3fa, 179329b5c3c118924fb242dc449d06b4ed6ccb66
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (5)

Kramdown

Affected Vendors

Debian Fedoraproject Kramdown Project

References (14)

Patch https://github.com/gettalong/kramdown/compare/REL_2_3_0...REL_2_3_1
Exploit https://github.com/gettalong/kramdown/pull/708
Patch https://gitlab.com/gitlab-org/gitlab/-/commit/179329b5c3c118924fb242dc449d06b4ed...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
Third Party Advisory https://www.debian.org/security/2021/dsa-4890
Patch https://github.com/gettalong/kramdown/compare/REL_2_3_0...REL_2_3_1
Exploit https://github.com/gettalong/kramdown/pull/708
Patch https://gitlab.com/gitlab-org/gitlab/-/commit/179329b5c3c118924fb242dc449d06b4ed...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
Third Party Advisory https://www.debian.org/security/2021/dsa-4890
50
/ 100
high-risk
Severity 32/34 · Critical
Exploitability 6/34 · Minimal
Exposure 12/34 · Low