RubyGems package
kramdown
pkg:gem/kramdown
Vulnerabilities (2)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-28834 | — | >= 1.16.0, < 2.3.1 | 2.3.1 | Mar 19, 2021 | Kramdown before 2.3.1 does not restrict Rouge formatters to the Rouge::Formatters namespace, and thus arbitrary classes can be instantiated. | ||
| CVE-2020-14001 | — | < 2.3.0 | 2.3.0 | Jul 17, 2020 | The kramdown gem before 2.3.0 for Ruby processes the template option inside Kramdown documents by default, which allows unintended read access (such as template="/etc/passwd") or unintended embedded Ruby code execution (such as a string that begins with template="string://<%= `). |
- CVE-2021-28834Mar 19, 2021affected >= 1.16.0, < 2.3.1fixed 2.3.1
Kramdown before 2.3.1 does not restrict Rouge formatters to the Rouge::Formatters namespace, and thus arbitrary classes can be instantiated.
- CVE-2020-14001Jul 17, 2020affected < 2.3.0fixed 2.3.0
The kramdown gem before 2.3.0 for Ruby processes the template option inside Kramdown documents by default, which allows unintended read access (such as template="/etc/passwd") or unintended embedded Ruby code execution (such as a string that begins with template="string://<%= `).