Remote code execution in Kramdown

[imhunterand]

Kramdown before 2.3.1 does not restrict Rouge formatters to the Rouge::Formatters namespace, and thus arbitrary classes can be instantiated.

CVE-2021-28834
GHSA-52p9-v744-mwjj

[imhunterand]

Additional Descriptions of Informations

A flaw was found in rubygem-kramdown. Rouge is a syntax highlighter used by kramdown. Restriction of the Rouge formatters to the Rouge::Formatters namespace does not occur when Ruby's const_get() method is called. This can lead to arbitrary classes being instantiated in situations where the application using kramdown, for example, accepts user input to select a Rogue syntax highlighter formatter. The highest threat from this vulnerability when exploited in a vulnerable configuration is to data confidentiality, integrity, and availability.

Mitigation

Developers using rubygem-kramdown: Do not pass user or external input into custom Rouge formatter selection logic.
All other users/system administrators: There is no known mitigation at this time. and approved this pull-request as merged for patched this issues.