Vulnerability Details CVE-2021-28834
Kramdown before 2.3.1 does not restrict Rouge formatters to the Rouge::Formatters namespace, and thus arbitrary classes can be instantiated.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.015
EPSS Ranking 80.4%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 6.8
References
- https://github.com/gettalong/kramdown/compare/REL_2_3_0...REL_2_3_1
- https://github.com/gettalong/kramdown/pull/708
- https://gitlab.com/gitlab-org/gitlab/-/commit/179329b5c3c118924fb242dc449d06b4ed6ccb66
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NJCJVYHPY6LNUFM6LYZIAUIYOMVT5QGV/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/S3BBLUIDCUUR3NEE4NJLOCCAV3ALQ3O6/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SYOLQKFL6IJCQLBXV34Z4TI4O54GESPR/
- https://www.debian.org/security/2021/dsa-4890
- https://github.com/gettalong/kramdown/compare/REL_2_3_0...REL_2_3_1
- https://github.com/gettalong/kramdown/pull/708
- https://gitlab.com/gitlab-org/gitlab/-/commit/179329b5c3c118924fb242dc449d06b4ed6ccb66
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NJCJVYHPY6LNUFM6LYZIAUIYOMVT5QGV/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/S3BBLUIDCUUR3NEE4NJLOCCAV3ALQ3O6/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SYOLQKFL6IJCQLBXV34Z4TI4O54GESPR/
- https://www.debian.org/security/2021/dsa-4890
Products affected by CVE-2021-28834
-
cpe:2.3:a:kramdown_project:kramdown:-
-
cpe:2.3:a:kramdown_project:kramdown:0.1.0
-
cpe:2.3:a:kramdown_project:kramdown:0.10.0
-
cpe:2.3:a:kramdown_project:kramdown:0.11.0
-
cpe:2.3:a:kramdown_project:kramdown:0.12.0
-
cpe:2.3:a:kramdown_project:kramdown:0.13.0
-
cpe:2.3:a:kramdown_project:kramdown:0.13.1
-
cpe:2.3:a:kramdown_project:kramdown:0.13.2
-
cpe:2.3:a:kramdown_project:kramdown:0.13.3
-
cpe:2.3:a:kramdown_project:kramdown:0.13.4
-
cpe:2.3:a:kramdown_project:kramdown:0.13.5
-
cpe:2.3:a:kramdown_project:kramdown:0.13.6
-
cpe:2.3:a:kramdown_project:kramdown:0.13.7
-
cpe:2.3:a:kramdown_project:kramdown:0.13.8
-
cpe:2.3:a:kramdown_project:kramdown:0.14.0
-
cpe:2.3:a:kramdown_project:kramdown:0.14.1
-
cpe:2.3:a:kramdown_project:kramdown:0.14.2
-
cpe:2.3:a:kramdown_project:kramdown:0.2.0
-
cpe:2.3:a:kramdown_project:kramdown:0.3.0
-
cpe:2.3:a:kramdown_project:kramdown:0.4.0
-
cpe:2.3:a:kramdown_project:kramdown:0.5.0
-
cpe:2.3:a:kramdown_project:kramdown:0.6.0
-
cpe:2.3:a:kramdown_project:kramdown:0.7.0
-
cpe:2.3:a:kramdown_project:kramdown:0.8.0
-
cpe:2.3:a:kramdown_project:kramdown:0.9.0
-
cpe:2.3:a:kramdown_project:kramdown:1.0.0
-
cpe:2.3:a:kramdown_project:kramdown:1.0.1
-
cpe:2.3:a:kramdown_project:kramdown:1.0.2
-
cpe:2.3:a:kramdown_project:kramdown:1.1.0
-
cpe:2.3:a:kramdown_project:kramdown:1.10.0
-
cpe:2.3:a:kramdown_project:kramdown:1.11.0
-
cpe:2.3:a:kramdown_project:kramdown:1.11.1
-
cpe:2.3:a:kramdown_project:kramdown:1.12.0
-
cpe:2.3:a:kramdown_project:kramdown:1.13.0
-
cpe:2.3:a:kramdown_project:kramdown:1.13.1
-
cpe:2.3:a:kramdown_project:kramdown:1.13.2
-
cpe:2.3:a:kramdown_project:kramdown:1.14.0
-
cpe:2.3:a:kramdown_project:kramdown:1.15.0
-
cpe:2.3:a:kramdown_project:kramdown:1.16.0
-
cpe:2.3:a:kramdown_project:kramdown:1.16.1
-
cpe:2.3:a:kramdown_project:kramdown:1.16.2
-
cpe:2.3:a:kramdown_project:kramdown:1.17.0
-
cpe:2.3:a:kramdown_project:kramdown:1.2.0
-
cpe:2.3:a:kramdown_project:kramdown:1.3.0
-
cpe:2.3:a:kramdown_project:kramdown:1.3.1
-
cpe:2.3:a:kramdown_project:kramdown:1.3.2
-
cpe:2.3:a:kramdown_project:kramdown:1.3.3
-
cpe:2.3:a:kramdown_project:kramdown:1.4.0
-
cpe:2.3:a:kramdown_project:kramdown:1.4.1
-
cpe:2.3:a:kramdown_project:kramdown:1.4.2
-
cpe:2.3:a:kramdown_project:kramdown:1.5.0
-
cpe:2.3:a:kramdown_project:kramdown:1.6.0
-
cpe:2.3:a:kramdown_project:kramdown:1.7.0
-
cpe:2.3:a:kramdown_project:kramdown:1.8.0
-
cpe:2.3:a:kramdown_project:kramdown:1.9.0
-
cpe:2.3:a:kramdown_project:kramdown:2.0.0
-
cpe:2.3:a:kramdown_project:kramdown:2.1.0
-
cpe:2.3:a:kramdown_project:kramdown:2.2.0
-
cpe:2.3:a:kramdown_project:kramdown:2.2.1
-
cpe:2.3:a:kramdown_project:kramdown:2.3.0
-
cpe:2.3:o:debian:debian_linux:10.0
-
cpe:2.3:o:fedoraproject:fedora:32
-
cpe:2.3:o:fedoraproject:fedora:33
-
cpe:2.3:o:fedoraproject:fedora:34