Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2020-14001 (GCVE-0-2020-14001)
Vulnerability from cvelistv5 – Published: 2020-07-17 15:27 – Updated: 2024-08-04 12:32
VLAI?
EPSS
Summary
The kramdown gem before 2.3.0 for Ruby processes the template option inside Kramdown documents by default, which allows unintended read access (such as template="/etc/passwd") or unintended embedded Ruby code execution (such as a string that begins with template="string://<%= `). NOTE: kramdown is used in Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:32:14.657Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gettalong/kramdown"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://kramdown.gettalong.org"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://rubygems.org/gems/kramdown"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://kramdown.gettalong.org/news.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/gettalong/kramdown/commit/1b8fd33c3120bfc6e5164b449e2c2fc9c9306fde"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/gettalong/kramdown/compare/REL_2_2_1...REL_2_3_0"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20200731-0004/"
},
{
"name": "[fluo-notifications] 20200808 [GitHub] [fluo-website] ctubbsii opened a new pull request #194: Update gems",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r96df7899fbb456fe2705882f710a0c8e8614b573fbffd8d12e3f54d2%40%3Cnotifications.fluo.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20200809 [SECURITY] [DLA 2316-1] ruby-kramdown security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00014.html"
},
{
"name": "DSA-4743",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2020/dsa-4743"
},
{
"name": "FEDORA-2020-f6eee9a2d3",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KBLTGBYU7NKOUOHDKVCU4GFZMGA6BP4L/"
},
{
"name": "FEDORA-2020-5c70d97eca",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ENMMGKHRQIZ3QKGOMBBBGB6B4LB5I7NQ/"
},
{
"name": "USN-4562-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4562-1/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The kramdown gem before 2.3.0 for Ruby processes the template option inside Kramdown documents by default, which allows unintended read access (such as template=\"/etc/passwd\") or unintended embedded Ruby code execution (such as a string that begins with template=\"string://\u003c%= `). NOTE: kramdown is used in Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-06T15:06:17.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gettalong/kramdown"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://kramdown.gettalong.org"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://rubygems.org/gems/kramdown"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://kramdown.gettalong.org/news.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gettalong/kramdown/commit/1b8fd33c3120bfc6e5164b449e2c2fc9c9306fde"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gettalong/kramdown/compare/REL_2_2_1...REL_2_3_0"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20200731-0004/"
},
{
"name": "[fluo-notifications] 20200808 [GitHub] [fluo-website] ctubbsii opened a new pull request #194: Update gems",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r96df7899fbb456fe2705882f710a0c8e8614b573fbffd8d12e3f54d2%40%3Cnotifications.fluo.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20200809 [SECURITY] [DLA 2316-1] ruby-kramdown security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00014.html"
},
{
"name": "DSA-4743",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2020/dsa-4743"
},
{
"name": "FEDORA-2020-f6eee9a2d3",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KBLTGBYU7NKOUOHDKVCU4GFZMGA6BP4L/"
},
{
"name": "FEDORA-2020-5c70d97eca",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ENMMGKHRQIZ3QKGOMBBBGB6B4LB5I7NQ/"
},
{
"name": "USN-4562-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4562-1/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-14001",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The kramdown gem before 2.3.0 for Ruby processes the template option inside Kramdown documents by default, which allows unintended read access (such as template=\"/etc/passwd\") or unintended embedded Ruby code execution (such as a string that begins with template=\"string://\u003c%= `). NOTE: kramdown is used in Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/gettalong/kramdown",
"refsource": "MISC",
"url": "https://github.com/gettalong/kramdown"
},
{
"name": "https://kramdown.gettalong.org",
"refsource": "MISC",
"url": "https://kramdown.gettalong.org"
},
{
"name": "https://rubygems.org/gems/kramdown",
"refsource": "MISC",
"url": "https://rubygems.org/gems/kramdown"
},
{
"name": "https://kramdown.gettalong.org/news.html",
"refsource": "CONFIRM",
"url": "https://kramdown.gettalong.org/news.html"
},
{
"name": "https://github.com/gettalong/kramdown/commit/1b8fd33c3120bfc6e5164b449e2c2fc9c9306fde",
"refsource": "CONFIRM",
"url": "https://github.com/gettalong/kramdown/commit/1b8fd33c3120bfc6e5164b449e2c2fc9c9306fde"
},
{
"name": "https://github.com/gettalong/kramdown/compare/REL_2_2_1...REL_2_3_0",
"refsource": "CONFIRM",
"url": "https://github.com/gettalong/kramdown/compare/REL_2_2_1...REL_2_3_0"
},
{
"name": "https://security.netapp.com/advisory/ntap-20200731-0004/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20200731-0004/"
},
{
"name": "[fluo-notifications] 20200808 [GitHub] [fluo-website] ctubbsii opened a new pull request #194: Update gems",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r96df7899fbb456fe2705882f710a0c8e8614b573fbffd8d12e3f54d2@%3Cnotifications.fluo.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20200809 [SECURITY] [DLA 2316-1] ruby-kramdown security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00014.html"
},
{
"name": "DSA-4743",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2020/dsa-4743"
},
{
"name": "FEDORA-2020-f6eee9a2d3",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KBLTGBYU7NKOUOHDKVCU4GFZMGA6BP4L/"
},
{
"name": "FEDORA-2020-5c70d97eca",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ENMMGKHRQIZ3QKGOMBBBGB6B4LB5I7NQ/"
},
{
"name": "USN-4562-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4562-1/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-14001",
"datePublished": "2020-07-17T15:27:54.000Z",
"dateReserved": "2020-06-10T00:00:00.000Z",
"dateUpdated": "2024-08-04T12:32:14.657Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:kramdown_project:kramdown:*:*:*:*:*:ruby:*:*\", \"versionEndExcluding\": \"2.3.0\", \"matchCriteriaId\": \"796E1C66-E0EF-4C52-B378-FE4382555C86\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"DEECE5FC-CACF-4496-A3E7-164736409252\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"80F0FA5D-8D3B-4C0E-81E2-87998286AF33\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"36D96259-24BD-44E2-96D9-78CE1D41F956\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*\", \"matchCriteriaId\": \"902B8056-9E37-443B-8905-8AA93E2447FB\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"The kramdown gem before 2.3.0 for Ruby processes the template option inside Kramdown documents by default, which allows unintended read access (such as template=\\\"/etc/passwd\\\") or unintended embedded Ruby code execution (such as a string that begins with template=\\\"string://\u003c%= `). NOTE: kramdown is used in Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum.\"}, {\"lang\": \"es\", \"value\": \"La gema kramdown versiones anteriores a 2.3.0 para Ruby procesa la opci\\u00f3n de plantilla dentro de los documentos de Kramdown por defecto, lo que permite el acceso de lectura no deseada (tal y como template=\\\"/etc/passwd\\\") o la ejecuci\\u00f3n de c\\u00f3digo Ruby insertado no previsto (tal y como una cadena que comienza con template=\\\"string://(%= \\\"). NOTA: kramdown es usado en Jekyll, GitLab Pages, GitHub Pages y Thredded Forum\"}]",
"id": "CVE-2020-14001",
"lastModified": "2024-11-21T05:02:19.567",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:P/A:P\", \"baseScore\": 7.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"HIGH\", \"exploitabilityScore\": 10.0, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2020-07-17T16:15:11.230",
"references": "[{\"url\": \"https://github.com/gettalong/kramdown\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/gettalong/kramdown/commit/1b8fd33c3120bfc6e5164b449e2c2fc9c9306fde\", \"source\": \"cve@mitre.org\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/gettalong/kramdown/compare/REL_2_2_1...REL_2_3_0\", \"source\": \"cve@mitre.org\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://kramdown.gettalong.org\", \"source\": \"cve@mitre.org\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://kramdown.gettalong.org/news.html\", \"source\": \"cve@mitre.org\", \"tags\": [\"Release Notes\", \"Vendor Advisory\"]}, {\"url\": \"https://lists.apache.org/thread.html/r96df7899fbb456fe2705882f710a0c8e8614b573fbffd8d12e3f54d2%40%3Cnotifications.fluo.apache.org%3E\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2020/08/msg00014.html\", \"source\": \"cve@mitre.org\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ENMMGKHRQIZ3QKGOMBBBGB6B4LB5I7NQ/\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KBLTGBYU7NKOUOHDKVCU4GFZMGA6BP4L/\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://rubygems.org/gems/kramdown\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20200731-0004/\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://usn.ubuntu.com/4562-1/\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.debian.org/security/2020/dsa-4743\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/gettalong/kramdown\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/gettalong/kramdown/commit/1b8fd33c3120bfc6e5164b449e2c2fc9c9306fde\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/gettalong/kramdown/compare/REL_2_2_1...REL_2_3_0\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://kramdown.gettalong.org\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://kramdown.gettalong.org/news.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Release Notes\", \"Vendor Advisory\"]}, {\"url\": \"https://lists.apache.org/thread.html/r96df7899fbb456fe2705882f710a0c8e8614b573fbffd8d12e3f54d2%40%3Cnotifications.fluo.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2020/08/msg00014.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ENMMGKHRQIZ3QKGOMBBBGB6B4LB5I7NQ/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KBLTGBYU7NKOUOHDKVCU4GFZMGA6BP4L/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://rubygems.org/gems/kramdown\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20200731-0004/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://usn.ubuntu.com/4562-1/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.debian.org/security/2020/dsa-4743\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-862\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2020-14001\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2020-07-17T16:15:11.230\",\"lastModified\":\"2024-11-21T05:02:19.567\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The kramdown gem before 2.3.0 for Ruby processes the template option inside Kramdown documents by default, which allows unintended read access (such as template=\\\"/etc/passwd\\\") or unintended embedded Ruby code execution (such as a string that begins with template=\\\"string://\u003c%= `). NOTE: kramdown is used in Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum.\"},{\"lang\":\"es\",\"value\":\"La gema kramdown versiones anteriores a 2.3.0 para Ruby procesa la opci\u00f3n de plantilla dentro de los documentos de Kramdown por defecto, lo que permite el acceso de lectura no deseada (tal y como template=\\\"/etc/passwd\\\") o la ejecuci\u00f3n de c\u00f3digo Ruby insertado no previsto (tal y como una cadena que comienza con template=\\\"string://(%= \\\"). NOTA: kramdown es usado en Jekyll, GitLab Pages, GitHub Pages y Thredded Forum\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:kramdown_project:kramdown:*:*:*:*:*:ruby:*:*\",\"versionEndExcluding\":\"2.3.0\",\"matchCriteriaId\":\"796E1C66-E0EF-4C52-B378-FE4382555C86\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DEECE5FC-CACF-4496-A3E7-164736409252\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"80F0FA5D-8D3B-4C0E-81E2-87998286AF33\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"36D96259-24BD-44E2-96D9-78CE1D41F956\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*\",\"matchCriteriaId\":\"902B8056-9E37-443B-8905-8AA93E2447FB\"}]}]}],\"references\":[{\"url\":\"https://github.com/gettalong/kramdown\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/gettalong/kramdown/commit/1b8fd33c3120bfc6e5164b449e2c2fc9c9306fde\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/gettalong/kramdown/compare/REL_2_2_1...REL_2_3_0\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://kramdown.gettalong.org\",\"source\":\"cve@mitre.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://kramdown.gettalong.org/news.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://lists.apache.org/thread.html/r96df7899fbb456fe2705882f710a0c8e8614b573fbffd8d12e3f54d2%40%3Cnotifications.fluo.apache.org%3E\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2020/08/msg00014.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ENMMGKHRQIZ3QKGOMBBBGB6B4LB5I7NQ/\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KBLTGBYU7NKOUOHDKVCU4GFZMGA6BP4L/\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://rubygems.org/gems/kramdown\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20200731-0004/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://usn.ubuntu.com/4562-1/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2020/dsa-4743\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/gettalong/kramdown\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/gettalong/kramdown/commit/1b8fd33c3120bfc6e5164b449e2c2fc9c9306fde\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/gettalong/kramdown/compare/REL_2_2_1...REL_2_3_0\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://kramdown.gettalong.org\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://kramdown.gettalong.org/news.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://lists.apache.org/thread.html/r96df7899fbb456fe2705882f710a0c8e8614b573fbffd8d12e3f54d2%40%3Cnotifications.fluo.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2020/08/msg00014.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ENMMGKHRQIZ3QKGOMBBBGB6B4LB5I7NQ/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KBLTGBYU7NKOUOHDKVCU4GFZMGA6BP4L/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://rubygems.org/gems/kramdown\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20200731-0004/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://usn.ubuntu.com/4562-1/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2020/dsa-4743\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
}
}
SUSE-SU-2022:3259-1
Vulnerability from csaf_suse - Published: 2022-09-12 10:51 - Updated: 2022-09-12 10:51Summary
Security update for rubygem-kramdown
Severity
Important
Notes
Title of the patch: Security update for rubygem-kramdown
Description of the patch: This update for rubygem-kramdown fixes the following issues:
- CVE-2020-14001: Fixed processing template options inside documents allowing unintended read access or embedded Ruby code execution (bsc#1174297).
Patchnames: SUSE-2022-3259,SUSE-SLE-Product-HA-15-2022-3259,SUSE-SLE-Product-HA-15-SP1-2022-3259,SUSE-SLE-Product-HA-15-SP2-2022-3259,SUSE-SLE-Product-HA-15-SP3-2022-3259,SUSE-SLE-Product-HA-15-SP4-2022-3259,openSUSE-SLE-15.3-2022-3259,openSUSE-SLE-15.4-2022-3259
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.3 (High)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
References
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for rubygem-kramdown",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for rubygem-kramdown fixes the following issues:\n\n- CVE-2020-14001: Fixed processing template options inside documents allowing unintended read access or embedded Ruby code execution (bsc#1174297).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2022-3259,SUSE-SLE-Product-HA-15-2022-3259,SUSE-SLE-Product-HA-15-SP1-2022-3259,SUSE-SLE-Product-HA-15-SP2-2022-3259,SUSE-SLE-Product-HA-15-SP3-2022-3259,SUSE-SLE-Product-HA-15-SP4-2022-3259,openSUSE-SLE-15.3-2022-3259,openSUSE-SLE-15.4-2022-3259",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2022_3259-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2022:3259-1",
"url": "https://www.suse.com/support/update/announcement/2022/suse-su-20223259-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2022:3259-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2022-September/012214.html"
},
{
"category": "self",
"summary": "SUSE Bug 1174297",
"url": "https://bugzilla.suse.com/1174297"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-14001 page",
"url": "https://www.suse.com/security/cve/CVE-2020-14001/"
}
],
"title": "Security update for rubygem-kramdown",
"tracking": {
"current_release_date": "2022-09-12T10:51:09Z",
"generator": {
"date": "2022-09-12T10:51:09Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2022:3259-1",
"initial_release_date": "2022-09-12T10:51:09Z",
"revision_history": [
{
"date": "2022-09-12T10:51:09Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.aarch64",
"product": {
"name": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.aarch64",
"product_id": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.aarch64"
}
},
{
"category": "product_version",
"name": "ruby2.5-rubygem-kramdown-doc-1.15.0-150000.3.3.1.aarch64",
"product": {
"name": "ruby2.5-rubygem-kramdown-doc-1.15.0-150000.3.3.1.aarch64",
"product_id": "ruby2.5-rubygem-kramdown-doc-1.15.0-150000.3.3.1.aarch64"
}
},
{
"category": "product_version",
"name": "ruby2.5-rubygem-kramdown-testsuite-1.15.0-150000.3.3.1.aarch64",
"product": {
"name": "ruby2.5-rubygem-kramdown-testsuite-1.15.0-150000.3.3.1.aarch64",
"product_id": "ruby2.5-rubygem-kramdown-testsuite-1.15.0-150000.3.3.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.i586",
"product": {
"name": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.i586",
"product_id": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.i586"
}
},
{
"category": "product_version",
"name": "ruby2.5-rubygem-kramdown-doc-1.15.0-150000.3.3.1.i586",
"product": {
"name": "ruby2.5-rubygem-kramdown-doc-1.15.0-150000.3.3.1.i586",
"product_id": "ruby2.5-rubygem-kramdown-doc-1.15.0-150000.3.3.1.i586"
}
},
{
"category": "product_version",
"name": "ruby2.5-rubygem-kramdown-testsuite-1.15.0-150000.3.3.1.i586",
"product": {
"name": "ruby2.5-rubygem-kramdown-testsuite-1.15.0-150000.3.3.1.i586",
"product_id": "ruby2.5-rubygem-kramdown-testsuite-1.15.0-150000.3.3.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.ppc64le",
"product": {
"name": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.ppc64le",
"product_id": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.ppc64le"
}
},
{
"category": "product_version",
"name": "ruby2.5-rubygem-kramdown-doc-1.15.0-150000.3.3.1.ppc64le",
"product": {
"name": "ruby2.5-rubygem-kramdown-doc-1.15.0-150000.3.3.1.ppc64le",
"product_id": "ruby2.5-rubygem-kramdown-doc-1.15.0-150000.3.3.1.ppc64le"
}
},
{
"category": "product_version",
"name": "ruby2.5-rubygem-kramdown-testsuite-1.15.0-150000.3.3.1.ppc64le",
"product": {
"name": "ruby2.5-rubygem-kramdown-testsuite-1.15.0-150000.3.3.1.ppc64le",
"product_id": "ruby2.5-rubygem-kramdown-testsuite-1.15.0-150000.3.3.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.s390x",
"product": {
"name": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.s390x",
"product_id": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.s390x"
}
},
{
"category": "product_version",
"name": "ruby2.5-rubygem-kramdown-doc-1.15.0-150000.3.3.1.s390x",
"product": {
"name": "ruby2.5-rubygem-kramdown-doc-1.15.0-150000.3.3.1.s390x",
"product_id": "ruby2.5-rubygem-kramdown-doc-1.15.0-150000.3.3.1.s390x"
}
},
{
"category": "product_version",
"name": "ruby2.5-rubygem-kramdown-testsuite-1.15.0-150000.3.3.1.s390x",
"product": {
"name": "ruby2.5-rubygem-kramdown-testsuite-1.15.0-150000.3.3.1.s390x",
"product_id": "ruby2.5-rubygem-kramdown-testsuite-1.15.0-150000.3.3.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.x86_64",
"product": {
"name": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.x86_64",
"product_id": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "ruby2.5-rubygem-kramdown-doc-1.15.0-150000.3.3.1.x86_64",
"product": {
"name": "ruby2.5-rubygem-kramdown-doc-1.15.0-150000.3.3.1.x86_64",
"product_id": "ruby2.5-rubygem-kramdown-doc-1.15.0-150000.3.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "ruby2.5-rubygem-kramdown-testsuite-1.15.0-150000.3.3.1.x86_64",
"product": {
"name": "ruby2.5-rubygem-kramdown-testsuite-1.15.0-150000.3.3.1.x86_64",
"product_id": "ruby2.5-rubygem-kramdown-testsuite-1.15.0-150000.3.3.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Availability Extension 15",
"product": {
"name": "SUSE Linux Enterprise High Availability Extension 15",
"product_id": "SUSE Linux Enterprise High Availability Extension 15",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-ha:15"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Availability Extension 15 SP1",
"product": {
"name": "SUSE Linux Enterprise High Availability Extension 15 SP1",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP1",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-ha:15:sp1"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Availability Extension 15 SP2",
"product": {
"name": "SUSE Linux Enterprise High Availability Extension 15 SP2",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP2",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-ha:15:sp2"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Availability Extension 15 SP3",
"product": {
"name": "SUSE Linux Enterprise High Availability Extension 15 SP3",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP3",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-ha:15:sp3"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Availability Extension 15 SP4",
"product": {
"name": "SUSE Linux Enterprise High Availability Extension 15 SP4",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP4",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-ha:15:sp4"
}
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.3",
"product": {
"name": "openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.3"
}
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.4",
"product": {
"name": "openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.4"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.aarch64 as component of SUSE Linux Enterprise High Availability Extension 15",
"product_id": "SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.aarch64"
},
"product_reference": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.ppc64le as component of SUSE Linux Enterprise High Availability Extension 15",
"product_id": "SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.ppc64le"
},
"product_reference": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.s390x as component of SUSE Linux Enterprise High Availability Extension 15",
"product_id": "SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.s390x"
},
"product_reference": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.x86_64 as component of SUSE Linux Enterprise High Availability Extension 15",
"product_id": "SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.x86_64"
},
"product_reference": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.aarch64 as component of SUSE Linux Enterprise High Availability Extension 15 SP1",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.aarch64"
},
"product_reference": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.ppc64le as component of SUSE Linux Enterprise High Availability Extension 15 SP1",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.ppc64le"
},
"product_reference": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.s390x as component of SUSE Linux Enterprise High Availability Extension 15 SP1",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.s390x"
},
"product_reference": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.x86_64 as component of SUSE Linux Enterprise High Availability Extension 15 SP1",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.x86_64"
},
"product_reference": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.aarch64 as component of SUSE Linux Enterprise High Availability Extension 15 SP2",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.aarch64"
},
"product_reference": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.ppc64le as component of SUSE Linux Enterprise High Availability Extension 15 SP2",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.ppc64le"
},
"product_reference": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.s390x as component of SUSE Linux Enterprise High Availability Extension 15 SP2",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.s390x"
},
"product_reference": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.x86_64 as component of SUSE Linux Enterprise High Availability Extension 15 SP2",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.x86_64"
},
"product_reference": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.aarch64 as component of SUSE Linux Enterprise High Availability Extension 15 SP3",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.aarch64"
},
"product_reference": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.ppc64le as component of SUSE Linux Enterprise High Availability Extension 15 SP3",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.ppc64le"
},
"product_reference": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.s390x as component of SUSE Linux Enterprise High Availability Extension 15 SP3",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.s390x"
},
"product_reference": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.x86_64 as component of SUSE Linux Enterprise High Availability Extension 15 SP3",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.x86_64"
},
"product_reference": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.aarch64 as component of SUSE Linux Enterprise High Availability Extension 15 SP4",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.aarch64"
},
"product_reference": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.ppc64le as component of SUSE Linux Enterprise High Availability Extension 15 SP4",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.ppc64le"
},
"product_reference": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.s390x as component of SUSE Linux Enterprise High Availability Extension 15 SP4",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.s390x"
},
"product_reference": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.x86_64 as component of SUSE Linux Enterprise High Availability Extension 15 SP4",
"product_id": "SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.x86_64"
},
"product_reference": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.aarch64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.aarch64"
},
"product_reference": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.ppc64le as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.ppc64le"
},
"product_reference": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.s390x as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.s390x"
},
"product_reference": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.x86_64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.x86_64"
},
"product_reference": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-kramdown-doc-1.15.0-150000.3.3.1.aarch64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:ruby2.5-rubygem-kramdown-doc-1.15.0-150000.3.3.1.aarch64"
},
"product_reference": "ruby2.5-rubygem-kramdown-doc-1.15.0-150000.3.3.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-kramdown-doc-1.15.0-150000.3.3.1.ppc64le as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:ruby2.5-rubygem-kramdown-doc-1.15.0-150000.3.3.1.ppc64le"
},
"product_reference": "ruby2.5-rubygem-kramdown-doc-1.15.0-150000.3.3.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-kramdown-doc-1.15.0-150000.3.3.1.s390x as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:ruby2.5-rubygem-kramdown-doc-1.15.0-150000.3.3.1.s390x"
},
"product_reference": "ruby2.5-rubygem-kramdown-doc-1.15.0-150000.3.3.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-kramdown-doc-1.15.0-150000.3.3.1.x86_64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:ruby2.5-rubygem-kramdown-doc-1.15.0-150000.3.3.1.x86_64"
},
"product_reference": "ruby2.5-rubygem-kramdown-doc-1.15.0-150000.3.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-kramdown-testsuite-1.15.0-150000.3.3.1.aarch64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:ruby2.5-rubygem-kramdown-testsuite-1.15.0-150000.3.3.1.aarch64"
},
"product_reference": "ruby2.5-rubygem-kramdown-testsuite-1.15.0-150000.3.3.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-kramdown-testsuite-1.15.0-150000.3.3.1.ppc64le as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:ruby2.5-rubygem-kramdown-testsuite-1.15.0-150000.3.3.1.ppc64le"
},
"product_reference": "ruby2.5-rubygem-kramdown-testsuite-1.15.0-150000.3.3.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-kramdown-testsuite-1.15.0-150000.3.3.1.s390x as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:ruby2.5-rubygem-kramdown-testsuite-1.15.0-150000.3.3.1.s390x"
},
"product_reference": "ruby2.5-rubygem-kramdown-testsuite-1.15.0-150000.3.3.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-kramdown-testsuite-1.15.0-150000.3.3.1.x86_64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:ruby2.5-rubygem-kramdown-testsuite-1.15.0-150000.3.3.1.x86_64"
},
"product_reference": "ruby2.5-rubygem-kramdown-testsuite-1.15.0-150000.3.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.aarch64 as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.aarch64"
},
"product_reference": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.ppc64le as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.ppc64le"
},
"product_reference": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.s390x as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.s390x"
},
"product_reference": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.x86_64 as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.x86_64"
},
"product_reference": "ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-kramdown-doc-1.15.0-150000.3.3.1.aarch64 as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:ruby2.5-rubygem-kramdown-doc-1.15.0-150000.3.3.1.aarch64"
},
"product_reference": "ruby2.5-rubygem-kramdown-doc-1.15.0-150000.3.3.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-kramdown-doc-1.15.0-150000.3.3.1.ppc64le as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:ruby2.5-rubygem-kramdown-doc-1.15.0-150000.3.3.1.ppc64le"
},
"product_reference": "ruby2.5-rubygem-kramdown-doc-1.15.0-150000.3.3.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-kramdown-doc-1.15.0-150000.3.3.1.s390x as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:ruby2.5-rubygem-kramdown-doc-1.15.0-150000.3.3.1.s390x"
},
"product_reference": "ruby2.5-rubygem-kramdown-doc-1.15.0-150000.3.3.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-kramdown-doc-1.15.0-150000.3.3.1.x86_64 as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:ruby2.5-rubygem-kramdown-doc-1.15.0-150000.3.3.1.x86_64"
},
"product_reference": "ruby2.5-rubygem-kramdown-doc-1.15.0-150000.3.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-kramdown-testsuite-1.15.0-150000.3.3.1.aarch64 as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:ruby2.5-rubygem-kramdown-testsuite-1.15.0-150000.3.3.1.aarch64"
},
"product_reference": "ruby2.5-rubygem-kramdown-testsuite-1.15.0-150000.3.3.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-kramdown-testsuite-1.15.0-150000.3.3.1.ppc64le as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:ruby2.5-rubygem-kramdown-testsuite-1.15.0-150000.3.3.1.ppc64le"
},
"product_reference": "ruby2.5-rubygem-kramdown-testsuite-1.15.0-150000.3.3.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-kramdown-testsuite-1.15.0-150000.3.3.1.s390x as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:ruby2.5-rubygem-kramdown-testsuite-1.15.0-150000.3.3.1.s390x"
},
"product_reference": "ruby2.5-rubygem-kramdown-testsuite-1.15.0-150000.3.3.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-kramdown-testsuite-1.15.0-150000.3.3.1.x86_64 as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:ruby2.5-rubygem-kramdown-testsuite-1.15.0-150000.3.3.1.x86_64"
},
"product_reference": "ruby2.5-rubygem-kramdown-testsuite-1.15.0-150000.3.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.4"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-14001",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-14001"
}
],
"notes": [
{
"category": "general",
"text": "The kramdown gem before 2.3.0 for Ruby processes the template option inside Kramdown documents by default, which allows unintended read access (such as template=\"/etc/passwd\") or unintended embedded Ruby code execution (such as a string that begins with template=\"string://\u003c%= `). NOTE: kramdown is used in Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.x86_64",
"openSUSE Leap 15.3:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.aarch64",
"openSUSE Leap 15.3:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.ppc64le",
"openSUSE Leap 15.3:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.s390x",
"openSUSE Leap 15.3:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.x86_64",
"openSUSE Leap 15.3:ruby2.5-rubygem-kramdown-doc-1.15.0-150000.3.3.1.aarch64",
"openSUSE Leap 15.3:ruby2.5-rubygem-kramdown-doc-1.15.0-150000.3.3.1.ppc64le",
"openSUSE Leap 15.3:ruby2.5-rubygem-kramdown-doc-1.15.0-150000.3.3.1.s390x",
"openSUSE Leap 15.3:ruby2.5-rubygem-kramdown-doc-1.15.0-150000.3.3.1.x86_64",
"openSUSE Leap 15.3:ruby2.5-rubygem-kramdown-testsuite-1.15.0-150000.3.3.1.aarch64",
"openSUSE Leap 15.3:ruby2.5-rubygem-kramdown-testsuite-1.15.0-150000.3.3.1.ppc64le",
"openSUSE Leap 15.3:ruby2.5-rubygem-kramdown-testsuite-1.15.0-150000.3.3.1.s390x",
"openSUSE Leap 15.3:ruby2.5-rubygem-kramdown-testsuite-1.15.0-150000.3.3.1.x86_64",
"openSUSE Leap 15.4:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.aarch64",
"openSUSE Leap 15.4:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.ppc64le",
"openSUSE Leap 15.4:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.s390x",
"openSUSE Leap 15.4:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.x86_64",
"openSUSE Leap 15.4:ruby2.5-rubygem-kramdown-doc-1.15.0-150000.3.3.1.aarch64",
"openSUSE Leap 15.4:ruby2.5-rubygem-kramdown-doc-1.15.0-150000.3.3.1.ppc64le",
"openSUSE Leap 15.4:ruby2.5-rubygem-kramdown-doc-1.15.0-150000.3.3.1.s390x",
"openSUSE Leap 15.4:ruby2.5-rubygem-kramdown-doc-1.15.0-150000.3.3.1.x86_64",
"openSUSE Leap 15.4:ruby2.5-rubygem-kramdown-testsuite-1.15.0-150000.3.3.1.aarch64",
"openSUSE Leap 15.4:ruby2.5-rubygem-kramdown-testsuite-1.15.0-150000.3.3.1.ppc64le",
"openSUSE Leap 15.4:ruby2.5-rubygem-kramdown-testsuite-1.15.0-150000.3.3.1.s390x",
"openSUSE Leap 15.4:ruby2.5-rubygem-kramdown-testsuite-1.15.0-150000.3.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-14001",
"url": "https://www.suse.com/security/cve/CVE-2020-14001"
},
{
"category": "external",
"summary": "SUSE Bug 1174297 for CVE-2020-14001",
"url": "https://bugzilla.suse.com/1174297"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.x86_64",
"openSUSE Leap 15.3:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.aarch64",
"openSUSE Leap 15.3:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.ppc64le",
"openSUSE Leap 15.3:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.s390x",
"openSUSE Leap 15.3:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.x86_64",
"openSUSE Leap 15.3:ruby2.5-rubygem-kramdown-doc-1.15.0-150000.3.3.1.aarch64",
"openSUSE Leap 15.3:ruby2.5-rubygem-kramdown-doc-1.15.0-150000.3.3.1.ppc64le",
"openSUSE Leap 15.3:ruby2.5-rubygem-kramdown-doc-1.15.0-150000.3.3.1.s390x",
"openSUSE Leap 15.3:ruby2.5-rubygem-kramdown-doc-1.15.0-150000.3.3.1.x86_64",
"openSUSE Leap 15.3:ruby2.5-rubygem-kramdown-testsuite-1.15.0-150000.3.3.1.aarch64",
"openSUSE Leap 15.3:ruby2.5-rubygem-kramdown-testsuite-1.15.0-150000.3.3.1.ppc64le",
"openSUSE Leap 15.3:ruby2.5-rubygem-kramdown-testsuite-1.15.0-150000.3.3.1.s390x",
"openSUSE Leap 15.3:ruby2.5-rubygem-kramdown-testsuite-1.15.0-150000.3.3.1.x86_64",
"openSUSE Leap 15.4:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.aarch64",
"openSUSE Leap 15.4:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.ppc64le",
"openSUSE Leap 15.4:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.s390x",
"openSUSE Leap 15.4:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.x86_64",
"openSUSE Leap 15.4:ruby2.5-rubygem-kramdown-doc-1.15.0-150000.3.3.1.aarch64",
"openSUSE Leap 15.4:ruby2.5-rubygem-kramdown-doc-1.15.0-150000.3.3.1.ppc64le",
"openSUSE Leap 15.4:ruby2.5-rubygem-kramdown-doc-1.15.0-150000.3.3.1.s390x",
"openSUSE Leap 15.4:ruby2.5-rubygem-kramdown-doc-1.15.0-150000.3.3.1.x86_64",
"openSUSE Leap 15.4:ruby2.5-rubygem-kramdown-testsuite-1.15.0-150000.3.3.1.aarch64",
"openSUSE Leap 15.4:ruby2.5-rubygem-kramdown-testsuite-1.15.0-150000.3.3.1.ppc64le",
"openSUSE Leap 15.4:ruby2.5-rubygem-kramdown-testsuite-1.15.0-150000.3.3.1.s390x",
"openSUSE Leap 15.4:ruby2.5-rubygem-kramdown-testsuite-1.15.0-150000.3.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.x86_64",
"SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.x86_64",
"openSUSE Leap 15.3:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.aarch64",
"openSUSE Leap 15.3:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.ppc64le",
"openSUSE Leap 15.3:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.s390x",
"openSUSE Leap 15.3:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.x86_64",
"openSUSE Leap 15.3:ruby2.5-rubygem-kramdown-doc-1.15.0-150000.3.3.1.aarch64",
"openSUSE Leap 15.3:ruby2.5-rubygem-kramdown-doc-1.15.0-150000.3.3.1.ppc64le",
"openSUSE Leap 15.3:ruby2.5-rubygem-kramdown-doc-1.15.0-150000.3.3.1.s390x",
"openSUSE Leap 15.3:ruby2.5-rubygem-kramdown-doc-1.15.0-150000.3.3.1.x86_64",
"openSUSE Leap 15.3:ruby2.5-rubygem-kramdown-testsuite-1.15.0-150000.3.3.1.aarch64",
"openSUSE Leap 15.3:ruby2.5-rubygem-kramdown-testsuite-1.15.0-150000.3.3.1.ppc64le",
"openSUSE Leap 15.3:ruby2.5-rubygem-kramdown-testsuite-1.15.0-150000.3.3.1.s390x",
"openSUSE Leap 15.3:ruby2.5-rubygem-kramdown-testsuite-1.15.0-150000.3.3.1.x86_64",
"openSUSE Leap 15.4:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.aarch64",
"openSUSE Leap 15.4:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.ppc64le",
"openSUSE Leap 15.4:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.s390x",
"openSUSE Leap 15.4:ruby2.5-rubygem-kramdown-1.15.0-150000.3.3.1.x86_64",
"openSUSE Leap 15.4:ruby2.5-rubygem-kramdown-doc-1.15.0-150000.3.3.1.aarch64",
"openSUSE Leap 15.4:ruby2.5-rubygem-kramdown-doc-1.15.0-150000.3.3.1.ppc64le",
"openSUSE Leap 15.4:ruby2.5-rubygem-kramdown-doc-1.15.0-150000.3.3.1.s390x",
"openSUSE Leap 15.4:ruby2.5-rubygem-kramdown-doc-1.15.0-150000.3.3.1.x86_64",
"openSUSE Leap 15.4:ruby2.5-rubygem-kramdown-testsuite-1.15.0-150000.3.3.1.aarch64",
"openSUSE Leap 15.4:ruby2.5-rubygem-kramdown-testsuite-1.15.0-150000.3.3.1.ppc64le",
"openSUSE Leap 15.4:ruby2.5-rubygem-kramdown-testsuite-1.15.0-150000.3.3.1.s390x",
"openSUSE Leap 15.4:ruby2.5-rubygem-kramdown-testsuite-1.15.0-150000.3.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2022-09-12T10:51:09Z",
"details": "important"
}
],
"title": "CVE-2020-14001"
}
]
}
OPENSUSE-SU-2025:15119-1
Vulnerability from csaf_opensuse - Published: 2025-05-17 00:00 - Updated: 2025-05-17 00:00Summary
ruby3.4-rubygem-kramdown-2.4.0-1.15 on GA media
Severity
Moderate
Notes
Title of the patch: ruby3.4-rubygem-kramdown-2.4.0-1.15 on GA media
Description of the patch: These are all security issues fixed in the ruby3.4-rubygem-kramdown-2.4.0-1.15 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2025-15119
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.3 (High)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
9.8 (Critical)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
References
| URL | Category | |||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "ruby3.4-rubygem-kramdown-2.4.0-1.15 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the ruby3.4-rubygem-kramdown-2.4.0-1.15 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2025-15119",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_15119-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2025:15119-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FZZEL5EJD5QLTIY6EGGTCXQMVMERPE6X/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2025:15119-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FZZEL5EJD5QLTIY6EGGTCXQMVMERPE6X/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-14001 page",
"url": "https://www.suse.com/security/cve/CVE-2020-14001/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-28834 page",
"url": "https://www.suse.com/security/cve/CVE-2021-28834/"
}
],
"title": "ruby3.4-rubygem-kramdown-2.4.0-1.15 on GA media",
"tracking": {
"current_release_date": "2025-05-17T00:00:00Z",
"generator": {
"date": "2025-05-17T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2025:15119-1",
"initial_release_date": "2025-05-17T00:00:00Z",
"revision_history": [
{
"date": "2025-05-17T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "ruby3.4-rubygem-kramdown-2.4.0-1.15.aarch64",
"product": {
"name": "ruby3.4-rubygem-kramdown-2.4.0-1.15.aarch64",
"product_id": "ruby3.4-rubygem-kramdown-2.4.0-1.15.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.4-rubygem-kramdown-2.4.0-1.15.ppc64le",
"product": {
"name": "ruby3.4-rubygem-kramdown-2.4.0-1.15.ppc64le",
"product_id": "ruby3.4-rubygem-kramdown-2.4.0-1.15.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.4-rubygem-kramdown-2.4.0-1.15.s390x",
"product": {
"name": "ruby3.4-rubygem-kramdown-2.4.0-1.15.s390x",
"product_id": "ruby3.4-rubygem-kramdown-2.4.0-1.15.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.4-rubygem-kramdown-2.4.0-1.15.x86_64",
"product": {
"name": "ruby3.4-rubygem-kramdown-2.4.0-1.15.x86_64",
"product_id": "ruby3.4-rubygem-kramdown-2.4.0-1.15.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.4-rubygem-kramdown-2.4.0-1.15.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.4-rubygem-kramdown-2.4.0-1.15.aarch64"
},
"product_reference": "ruby3.4-rubygem-kramdown-2.4.0-1.15.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.4-rubygem-kramdown-2.4.0-1.15.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.4-rubygem-kramdown-2.4.0-1.15.ppc64le"
},
"product_reference": "ruby3.4-rubygem-kramdown-2.4.0-1.15.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.4-rubygem-kramdown-2.4.0-1.15.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.4-rubygem-kramdown-2.4.0-1.15.s390x"
},
"product_reference": "ruby3.4-rubygem-kramdown-2.4.0-1.15.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.4-rubygem-kramdown-2.4.0-1.15.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.4-rubygem-kramdown-2.4.0-1.15.x86_64"
},
"product_reference": "ruby3.4-rubygem-kramdown-2.4.0-1.15.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-14001",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-14001"
}
],
"notes": [
{
"category": "general",
"text": "The kramdown gem before 2.3.0 for Ruby processes the template option inside Kramdown documents by default, which allows unintended read access (such as template=\"/etc/passwd\") or unintended embedded Ruby code execution (such as a string that begins with template=\"string://\u003c%= `). NOTE: kramdown is used in Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.4-rubygem-kramdown-2.4.0-1.15.aarch64",
"openSUSE Tumbleweed:ruby3.4-rubygem-kramdown-2.4.0-1.15.ppc64le",
"openSUSE Tumbleweed:ruby3.4-rubygem-kramdown-2.4.0-1.15.s390x",
"openSUSE Tumbleweed:ruby3.4-rubygem-kramdown-2.4.0-1.15.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-14001",
"url": "https://www.suse.com/security/cve/CVE-2020-14001"
},
{
"category": "external",
"summary": "SUSE Bug 1174297 for CVE-2020-14001",
"url": "https://bugzilla.suse.com/1174297"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.4-rubygem-kramdown-2.4.0-1.15.aarch64",
"openSUSE Tumbleweed:ruby3.4-rubygem-kramdown-2.4.0-1.15.ppc64le",
"openSUSE Tumbleweed:ruby3.4-rubygem-kramdown-2.4.0-1.15.s390x",
"openSUSE Tumbleweed:ruby3.4-rubygem-kramdown-2.4.0-1.15.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:ruby3.4-rubygem-kramdown-2.4.0-1.15.aarch64",
"openSUSE Tumbleweed:ruby3.4-rubygem-kramdown-2.4.0-1.15.ppc64le",
"openSUSE Tumbleweed:ruby3.4-rubygem-kramdown-2.4.0-1.15.s390x",
"openSUSE Tumbleweed:ruby3.4-rubygem-kramdown-2.4.0-1.15.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-05-17T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2020-14001"
},
{
"cve": "CVE-2021-28834",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-28834"
}
],
"notes": [
{
"category": "general",
"text": "Kramdown before 2.3.1 does not restrict Rouge formatters to the Rouge::Formatters namespace, and thus arbitrary classes can be instantiated.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.4-rubygem-kramdown-2.4.0-1.15.aarch64",
"openSUSE Tumbleweed:ruby3.4-rubygem-kramdown-2.4.0-1.15.ppc64le",
"openSUSE Tumbleweed:ruby3.4-rubygem-kramdown-2.4.0-1.15.s390x",
"openSUSE Tumbleweed:ruby3.4-rubygem-kramdown-2.4.0-1.15.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-28834",
"url": "https://www.suse.com/security/cve/CVE-2021-28834"
},
{
"category": "external",
"summary": "SUSE Bug 1183814 for CVE-2021-28834",
"url": "https://bugzilla.suse.com/1183814"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.4-rubygem-kramdown-2.4.0-1.15.aarch64",
"openSUSE Tumbleweed:ruby3.4-rubygem-kramdown-2.4.0-1.15.ppc64le",
"openSUSE Tumbleweed:ruby3.4-rubygem-kramdown-2.4.0-1.15.s390x",
"openSUSE Tumbleweed:ruby3.4-rubygem-kramdown-2.4.0-1.15.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:ruby3.4-rubygem-kramdown-2.4.0-1.15.aarch64",
"openSUSE Tumbleweed:ruby3.4-rubygem-kramdown-2.4.0-1.15.ppc64le",
"openSUSE Tumbleweed:ruby3.4-rubygem-kramdown-2.4.0-1.15.s390x",
"openSUSE Tumbleweed:ruby3.4-rubygem-kramdown-2.4.0-1.15.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-05-17T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2021-28834"
}
]
}
OPENSUSE-SU-2024:13161-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
ruby3.2-rubygem-kramdown-2.4.0-1.8 on GA media
Severity
Moderate
Notes
Title of the patch: ruby3.2-rubygem-kramdown-2.4.0-1.8 on GA media
Description of the patch: These are all security issues fixed in the ruby3.2-rubygem-kramdown-2.4.0-1.8 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-13161
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.3 (High)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
9.8 (Critical)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
References
| URL | Category | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "ruby3.2-rubygem-kramdown-2.4.0-1.8 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the ruby3.2-rubygem-kramdown-2.4.0-1.8 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-13161",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_13161-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-14001 page",
"url": "https://www.suse.com/security/cve/CVE-2020-14001/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-28834 page",
"url": "https://www.suse.com/security/cve/CVE-2021-28834/"
}
],
"title": "ruby3.2-rubygem-kramdown-2.4.0-1.8 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:13161-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "ruby3.2-rubygem-kramdown-2.4.0-1.8.aarch64",
"product": {
"name": "ruby3.2-rubygem-kramdown-2.4.0-1.8.aarch64",
"product_id": "ruby3.2-rubygem-kramdown-2.4.0-1.8.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.2-rubygem-kramdown-2.4.0-1.8.ppc64le",
"product": {
"name": "ruby3.2-rubygem-kramdown-2.4.0-1.8.ppc64le",
"product_id": "ruby3.2-rubygem-kramdown-2.4.0-1.8.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.2-rubygem-kramdown-2.4.0-1.8.s390x",
"product": {
"name": "ruby3.2-rubygem-kramdown-2.4.0-1.8.s390x",
"product_id": "ruby3.2-rubygem-kramdown-2.4.0-1.8.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.2-rubygem-kramdown-2.4.0-1.8.x86_64",
"product": {
"name": "ruby3.2-rubygem-kramdown-2.4.0-1.8.x86_64",
"product_id": "ruby3.2-rubygem-kramdown-2.4.0-1.8.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.2-rubygem-kramdown-2.4.0-1.8.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.2-rubygem-kramdown-2.4.0-1.8.aarch64"
},
"product_reference": "ruby3.2-rubygem-kramdown-2.4.0-1.8.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.2-rubygem-kramdown-2.4.0-1.8.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.2-rubygem-kramdown-2.4.0-1.8.ppc64le"
},
"product_reference": "ruby3.2-rubygem-kramdown-2.4.0-1.8.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.2-rubygem-kramdown-2.4.0-1.8.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.2-rubygem-kramdown-2.4.0-1.8.s390x"
},
"product_reference": "ruby3.2-rubygem-kramdown-2.4.0-1.8.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.2-rubygem-kramdown-2.4.0-1.8.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.2-rubygem-kramdown-2.4.0-1.8.x86_64"
},
"product_reference": "ruby3.2-rubygem-kramdown-2.4.0-1.8.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-14001",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-14001"
}
],
"notes": [
{
"category": "general",
"text": "The kramdown gem before 2.3.0 for Ruby processes the template option inside Kramdown documents by default, which allows unintended read access (such as template=\"/etc/passwd\") or unintended embedded Ruby code execution (such as a string that begins with template=\"string://\u003c%= `). NOTE: kramdown is used in Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.2-rubygem-kramdown-2.4.0-1.8.aarch64",
"openSUSE Tumbleweed:ruby3.2-rubygem-kramdown-2.4.0-1.8.ppc64le",
"openSUSE Tumbleweed:ruby3.2-rubygem-kramdown-2.4.0-1.8.s390x",
"openSUSE Tumbleweed:ruby3.2-rubygem-kramdown-2.4.0-1.8.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-14001",
"url": "https://www.suse.com/security/cve/CVE-2020-14001"
},
{
"category": "external",
"summary": "SUSE Bug 1174297 for CVE-2020-14001",
"url": "https://bugzilla.suse.com/1174297"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.2-rubygem-kramdown-2.4.0-1.8.aarch64",
"openSUSE Tumbleweed:ruby3.2-rubygem-kramdown-2.4.0-1.8.ppc64le",
"openSUSE Tumbleweed:ruby3.2-rubygem-kramdown-2.4.0-1.8.s390x",
"openSUSE Tumbleweed:ruby3.2-rubygem-kramdown-2.4.0-1.8.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:ruby3.2-rubygem-kramdown-2.4.0-1.8.aarch64",
"openSUSE Tumbleweed:ruby3.2-rubygem-kramdown-2.4.0-1.8.ppc64le",
"openSUSE Tumbleweed:ruby3.2-rubygem-kramdown-2.4.0-1.8.s390x",
"openSUSE Tumbleweed:ruby3.2-rubygem-kramdown-2.4.0-1.8.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2020-14001"
},
{
"cve": "CVE-2021-28834",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-28834"
}
],
"notes": [
{
"category": "general",
"text": "Kramdown before 2.3.1 does not restrict Rouge formatters to the Rouge::Formatters namespace, and thus arbitrary classes can be instantiated.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.2-rubygem-kramdown-2.4.0-1.8.aarch64",
"openSUSE Tumbleweed:ruby3.2-rubygem-kramdown-2.4.0-1.8.ppc64le",
"openSUSE Tumbleweed:ruby3.2-rubygem-kramdown-2.4.0-1.8.s390x",
"openSUSE Tumbleweed:ruby3.2-rubygem-kramdown-2.4.0-1.8.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-28834",
"url": "https://www.suse.com/security/cve/CVE-2021-28834"
},
{
"category": "external",
"summary": "SUSE Bug 1183814 for CVE-2021-28834",
"url": "https://bugzilla.suse.com/1183814"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.2-rubygem-kramdown-2.4.0-1.8.aarch64",
"openSUSE Tumbleweed:ruby3.2-rubygem-kramdown-2.4.0-1.8.ppc64le",
"openSUSE Tumbleweed:ruby3.2-rubygem-kramdown-2.4.0-1.8.s390x",
"openSUSE Tumbleweed:ruby3.2-rubygem-kramdown-2.4.0-1.8.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:ruby3.2-rubygem-kramdown-2.4.0-1.8.aarch64",
"openSUSE Tumbleweed:ruby3.2-rubygem-kramdown-2.4.0-1.8.ppc64le",
"openSUSE Tumbleweed:ruby3.2-rubygem-kramdown-2.4.0-1.8.s390x",
"openSUSE Tumbleweed:ruby3.2-rubygem-kramdown-2.4.0-1.8.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2021-28834"
}
]
}
OPENSUSE-SU-2024:14170-1
Vulnerability from csaf_opensuse - Published: 2024-07-12 00:00 - Updated: 2024-07-12 00:00Summary
ruby3.3-rubygem-kramdown-2.4.0-1.12 on GA media
Severity
Moderate
Notes
Title of the patch: ruby3.3-rubygem-kramdown-2.4.0-1.12 on GA media
Description of the patch: These are all security issues fixed in the ruby3.3-rubygem-kramdown-2.4.0-1.12 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-14170
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.3 (High)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
9.8 (Critical)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
References
| URL | Category | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "ruby3.3-rubygem-kramdown-2.4.0-1.12 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the ruby3.3-rubygem-kramdown-2.4.0-1.12 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-14170",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_14170-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-14001 page",
"url": "https://www.suse.com/security/cve/CVE-2020-14001/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-28834 page",
"url": "https://www.suse.com/security/cve/CVE-2021-28834/"
}
],
"title": "ruby3.3-rubygem-kramdown-2.4.0-1.12 on GA media",
"tracking": {
"current_release_date": "2024-07-12T00:00:00Z",
"generator": {
"date": "2024-07-12T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:14170-1",
"initial_release_date": "2024-07-12T00:00:00Z",
"revision_history": [
{
"date": "2024-07-12T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "ruby3.3-rubygem-kramdown-2.4.0-1.12.aarch64",
"product": {
"name": "ruby3.3-rubygem-kramdown-2.4.0-1.12.aarch64",
"product_id": "ruby3.3-rubygem-kramdown-2.4.0-1.12.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.3-rubygem-kramdown-2.4.0-1.12.ppc64le",
"product": {
"name": "ruby3.3-rubygem-kramdown-2.4.0-1.12.ppc64le",
"product_id": "ruby3.3-rubygem-kramdown-2.4.0-1.12.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.3-rubygem-kramdown-2.4.0-1.12.s390x",
"product": {
"name": "ruby3.3-rubygem-kramdown-2.4.0-1.12.s390x",
"product_id": "ruby3.3-rubygem-kramdown-2.4.0-1.12.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.3-rubygem-kramdown-2.4.0-1.12.x86_64",
"product": {
"name": "ruby3.3-rubygem-kramdown-2.4.0-1.12.x86_64",
"product_id": "ruby3.3-rubygem-kramdown-2.4.0-1.12.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.3-rubygem-kramdown-2.4.0-1.12.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.3-rubygem-kramdown-2.4.0-1.12.aarch64"
},
"product_reference": "ruby3.3-rubygem-kramdown-2.4.0-1.12.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.3-rubygem-kramdown-2.4.0-1.12.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.3-rubygem-kramdown-2.4.0-1.12.ppc64le"
},
"product_reference": "ruby3.3-rubygem-kramdown-2.4.0-1.12.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.3-rubygem-kramdown-2.4.0-1.12.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.3-rubygem-kramdown-2.4.0-1.12.s390x"
},
"product_reference": "ruby3.3-rubygem-kramdown-2.4.0-1.12.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.3-rubygem-kramdown-2.4.0-1.12.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.3-rubygem-kramdown-2.4.0-1.12.x86_64"
},
"product_reference": "ruby3.3-rubygem-kramdown-2.4.0-1.12.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-14001",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-14001"
}
],
"notes": [
{
"category": "general",
"text": "The kramdown gem before 2.3.0 for Ruby processes the template option inside Kramdown documents by default, which allows unintended read access (such as template=\"/etc/passwd\") or unintended embedded Ruby code execution (such as a string that begins with template=\"string://\u003c%= `). NOTE: kramdown is used in Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.3-rubygem-kramdown-2.4.0-1.12.aarch64",
"openSUSE Tumbleweed:ruby3.3-rubygem-kramdown-2.4.0-1.12.ppc64le",
"openSUSE Tumbleweed:ruby3.3-rubygem-kramdown-2.4.0-1.12.s390x",
"openSUSE Tumbleweed:ruby3.3-rubygem-kramdown-2.4.0-1.12.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-14001",
"url": "https://www.suse.com/security/cve/CVE-2020-14001"
},
{
"category": "external",
"summary": "SUSE Bug 1174297 for CVE-2020-14001",
"url": "https://bugzilla.suse.com/1174297"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.3-rubygem-kramdown-2.4.0-1.12.aarch64",
"openSUSE Tumbleweed:ruby3.3-rubygem-kramdown-2.4.0-1.12.ppc64le",
"openSUSE Tumbleweed:ruby3.3-rubygem-kramdown-2.4.0-1.12.s390x",
"openSUSE Tumbleweed:ruby3.3-rubygem-kramdown-2.4.0-1.12.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:ruby3.3-rubygem-kramdown-2.4.0-1.12.aarch64",
"openSUSE Tumbleweed:ruby3.3-rubygem-kramdown-2.4.0-1.12.ppc64le",
"openSUSE Tumbleweed:ruby3.3-rubygem-kramdown-2.4.0-1.12.s390x",
"openSUSE Tumbleweed:ruby3.3-rubygem-kramdown-2.4.0-1.12.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-07-12T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2020-14001"
},
{
"cve": "CVE-2021-28834",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-28834"
}
],
"notes": [
{
"category": "general",
"text": "Kramdown before 2.3.1 does not restrict Rouge formatters to the Rouge::Formatters namespace, and thus arbitrary classes can be instantiated.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.3-rubygem-kramdown-2.4.0-1.12.aarch64",
"openSUSE Tumbleweed:ruby3.3-rubygem-kramdown-2.4.0-1.12.ppc64le",
"openSUSE Tumbleweed:ruby3.3-rubygem-kramdown-2.4.0-1.12.s390x",
"openSUSE Tumbleweed:ruby3.3-rubygem-kramdown-2.4.0-1.12.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-28834",
"url": "https://www.suse.com/security/cve/CVE-2021-28834"
},
{
"category": "external",
"summary": "SUSE Bug 1183814 for CVE-2021-28834",
"url": "https://bugzilla.suse.com/1183814"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.3-rubygem-kramdown-2.4.0-1.12.aarch64",
"openSUSE Tumbleweed:ruby3.3-rubygem-kramdown-2.4.0-1.12.ppc64le",
"openSUSE Tumbleweed:ruby3.3-rubygem-kramdown-2.4.0-1.12.s390x",
"openSUSE Tumbleweed:ruby3.3-rubygem-kramdown-2.4.0-1.12.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:ruby3.3-rubygem-kramdown-2.4.0-1.12.aarch64",
"openSUSE Tumbleweed:ruby3.3-rubygem-kramdown-2.4.0-1.12.ppc64le",
"openSUSE Tumbleweed:ruby3.3-rubygem-kramdown-2.4.0-1.12.s390x",
"openSUSE Tumbleweed:ruby3.3-rubygem-kramdown-2.4.0-1.12.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-07-12T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2021-28834"
}
]
}
OPENSUSE-SU-2024:12038-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
ruby3.1-rubygem-kramdown-2.4.0-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: ruby3.1-rubygem-kramdown-2.4.0-1.1 on GA media
Description of the patch: These are all security issues fixed in the ruby3.1-rubygem-kramdown-2.4.0-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-12038
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.3 (High)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
9.8 (Critical)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
References
| URL | Category | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "ruby3.1-rubygem-kramdown-2.4.0-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the ruby3.1-rubygem-kramdown-2.4.0-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-12038",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_12038-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-14001 page",
"url": "https://www.suse.com/security/cve/CVE-2020-14001/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-28834 page",
"url": "https://www.suse.com/security/cve/CVE-2021-28834/"
}
],
"title": "ruby3.1-rubygem-kramdown-2.4.0-1.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:12038-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "ruby3.1-rubygem-kramdown-2.4.0-1.1.aarch64",
"product": {
"name": "ruby3.1-rubygem-kramdown-2.4.0-1.1.aarch64",
"product_id": "ruby3.1-rubygem-kramdown-2.4.0-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.1-rubygem-kramdown-2.4.0-1.1.ppc64le",
"product": {
"name": "ruby3.1-rubygem-kramdown-2.4.0-1.1.ppc64le",
"product_id": "ruby3.1-rubygem-kramdown-2.4.0-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.1-rubygem-kramdown-2.4.0-1.1.s390x",
"product": {
"name": "ruby3.1-rubygem-kramdown-2.4.0-1.1.s390x",
"product_id": "ruby3.1-rubygem-kramdown-2.4.0-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.1-rubygem-kramdown-2.4.0-1.1.x86_64",
"product": {
"name": "ruby3.1-rubygem-kramdown-2.4.0-1.1.x86_64",
"product_id": "ruby3.1-rubygem-kramdown-2.4.0-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.1-rubygem-kramdown-2.4.0-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.1-rubygem-kramdown-2.4.0-1.1.aarch64"
},
"product_reference": "ruby3.1-rubygem-kramdown-2.4.0-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.1-rubygem-kramdown-2.4.0-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.1-rubygem-kramdown-2.4.0-1.1.ppc64le"
},
"product_reference": "ruby3.1-rubygem-kramdown-2.4.0-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.1-rubygem-kramdown-2.4.0-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.1-rubygem-kramdown-2.4.0-1.1.s390x"
},
"product_reference": "ruby3.1-rubygem-kramdown-2.4.0-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.1-rubygem-kramdown-2.4.0-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.1-rubygem-kramdown-2.4.0-1.1.x86_64"
},
"product_reference": "ruby3.1-rubygem-kramdown-2.4.0-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-14001",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-14001"
}
],
"notes": [
{
"category": "general",
"text": "The kramdown gem before 2.3.0 for Ruby processes the template option inside Kramdown documents by default, which allows unintended read access (such as template=\"/etc/passwd\") or unintended embedded Ruby code execution (such as a string that begins with template=\"string://\u003c%= `). NOTE: kramdown is used in Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.1-rubygem-kramdown-2.4.0-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.1-rubygem-kramdown-2.4.0-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.1-rubygem-kramdown-2.4.0-1.1.s390x",
"openSUSE Tumbleweed:ruby3.1-rubygem-kramdown-2.4.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-14001",
"url": "https://www.suse.com/security/cve/CVE-2020-14001"
},
{
"category": "external",
"summary": "SUSE Bug 1174297 for CVE-2020-14001",
"url": "https://bugzilla.suse.com/1174297"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.1-rubygem-kramdown-2.4.0-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.1-rubygem-kramdown-2.4.0-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.1-rubygem-kramdown-2.4.0-1.1.s390x",
"openSUSE Tumbleweed:ruby3.1-rubygem-kramdown-2.4.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:ruby3.1-rubygem-kramdown-2.4.0-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.1-rubygem-kramdown-2.4.0-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.1-rubygem-kramdown-2.4.0-1.1.s390x",
"openSUSE Tumbleweed:ruby3.1-rubygem-kramdown-2.4.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2020-14001"
},
{
"cve": "CVE-2021-28834",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-28834"
}
],
"notes": [
{
"category": "general",
"text": "Kramdown before 2.3.1 does not restrict Rouge formatters to the Rouge::Formatters namespace, and thus arbitrary classes can be instantiated.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.1-rubygem-kramdown-2.4.0-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.1-rubygem-kramdown-2.4.0-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.1-rubygem-kramdown-2.4.0-1.1.s390x",
"openSUSE Tumbleweed:ruby3.1-rubygem-kramdown-2.4.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-28834",
"url": "https://www.suse.com/security/cve/CVE-2021-28834"
},
{
"category": "external",
"summary": "SUSE Bug 1183814 for CVE-2021-28834",
"url": "https://bugzilla.suse.com/1183814"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.1-rubygem-kramdown-2.4.0-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.1-rubygem-kramdown-2.4.0-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.1-rubygem-kramdown-2.4.0-1.1.s390x",
"openSUSE Tumbleweed:ruby3.1-rubygem-kramdown-2.4.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:ruby3.1-rubygem-kramdown-2.4.0-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.1-rubygem-kramdown-2.4.0-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.1-rubygem-kramdown-2.4.0-1.1.s390x",
"openSUSE Tumbleweed:ruby3.1-rubygem-kramdown-2.4.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2021-28834"
}
]
}
OPENSUSE-SU-2026:10352-1
Vulnerability from csaf_opensuse - Published: 2026-03-13 00:00 - Updated: 2026-03-13 00:00Summary
ruby4.0-rubygem-kramdown-2.4.0-1.17 on GA media
Severity
Moderate
Notes
Title of the patch: ruby4.0-rubygem-kramdown-2.4.0-1.17 on GA media
Description of the patch: These are all security issues fixed in the ruby4.0-rubygem-kramdown-2.4.0-1.17 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2026-10352
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.3 (High)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
9.8 (Critical)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
References
| URL | Category | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "ruby4.0-rubygem-kramdown-2.4.0-1.17 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the ruby4.0-rubygem-kramdown-2.4.0-1.17 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2026-10352",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10352-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-14001 page",
"url": "https://www.suse.com/security/cve/CVE-2020-14001/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-28834 page",
"url": "https://www.suse.com/security/cve/CVE-2021-28834/"
}
],
"title": "ruby4.0-rubygem-kramdown-2.4.0-1.17 on GA media",
"tracking": {
"current_release_date": "2026-03-13T00:00:00Z",
"generator": {
"date": "2026-03-13T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:10352-1",
"initial_release_date": "2026-03-13T00:00:00Z",
"revision_history": [
{
"date": "2026-03-13T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "ruby4.0-rubygem-kramdown-2.4.0-1.17.aarch64",
"product": {
"name": "ruby4.0-rubygem-kramdown-2.4.0-1.17.aarch64",
"product_id": "ruby4.0-rubygem-kramdown-2.4.0-1.17.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby4.0-rubygem-kramdown-2.4.0-1.17.ppc64le",
"product": {
"name": "ruby4.0-rubygem-kramdown-2.4.0-1.17.ppc64le",
"product_id": "ruby4.0-rubygem-kramdown-2.4.0-1.17.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby4.0-rubygem-kramdown-2.4.0-1.17.s390x",
"product": {
"name": "ruby4.0-rubygem-kramdown-2.4.0-1.17.s390x",
"product_id": "ruby4.0-rubygem-kramdown-2.4.0-1.17.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby4.0-rubygem-kramdown-2.4.0-1.17.x86_64",
"product": {
"name": "ruby4.0-rubygem-kramdown-2.4.0-1.17.x86_64",
"product_id": "ruby4.0-rubygem-kramdown-2.4.0-1.17.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby4.0-rubygem-kramdown-2.4.0-1.17.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby4.0-rubygem-kramdown-2.4.0-1.17.aarch64"
},
"product_reference": "ruby4.0-rubygem-kramdown-2.4.0-1.17.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby4.0-rubygem-kramdown-2.4.0-1.17.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby4.0-rubygem-kramdown-2.4.0-1.17.ppc64le"
},
"product_reference": "ruby4.0-rubygem-kramdown-2.4.0-1.17.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby4.0-rubygem-kramdown-2.4.0-1.17.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby4.0-rubygem-kramdown-2.4.0-1.17.s390x"
},
"product_reference": "ruby4.0-rubygem-kramdown-2.4.0-1.17.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby4.0-rubygem-kramdown-2.4.0-1.17.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby4.0-rubygem-kramdown-2.4.0-1.17.x86_64"
},
"product_reference": "ruby4.0-rubygem-kramdown-2.4.0-1.17.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-14001",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-14001"
}
],
"notes": [
{
"category": "general",
"text": "The kramdown gem before 2.3.0 for Ruby processes the template option inside Kramdown documents by default, which allows unintended read access (such as template=\"/etc/passwd\") or unintended embedded Ruby code execution (such as a string that begins with template=\"string://\u003c%= `). NOTE: kramdown is used in Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby4.0-rubygem-kramdown-2.4.0-1.17.aarch64",
"openSUSE Tumbleweed:ruby4.0-rubygem-kramdown-2.4.0-1.17.ppc64le",
"openSUSE Tumbleweed:ruby4.0-rubygem-kramdown-2.4.0-1.17.s390x",
"openSUSE Tumbleweed:ruby4.0-rubygem-kramdown-2.4.0-1.17.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-14001",
"url": "https://www.suse.com/security/cve/CVE-2020-14001"
},
{
"category": "external",
"summary": "SUSE Bug 1174297 for CVE-2020-14001",
"url": "https://bugzilla.suse.com/1174297"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby4.0-rubygem-kramdown-2.4.0-1.17.aarch64",
"openSUSE Tumbleweed:ruby4.0-rubygem-kramdown-2.4.0-1.17.ppc64le",
"openSUSE Tumbleweed:ruby4.0-rubygem-kramdown-2.4.0-1.17.s390x",
"openSUSE Tumbleweed:ruby4.0-rubygem-kramdown-2.4.0-1.17.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:ruby4.0-rubygem-kramdown-2.4.0-1.17.aarch64",
"openSUSE Tumbleweed:ruby4.0-rubygem-kramdown-2.4.0-1.17.ppc64le",
"openSUSE Tumbleweed:ruby4.0-rubygem-kramdown-2.4.0-1.17.s390x",
"openSUSE Tumbleweed:ruby4.0-rubygem-kramdown-2.4.0-1.17.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-03-13T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2020-14001"
},
{
"cve": "CVE-2021-28834",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-28834"
}
],
"notes": [
{
"category": "general",
"text": "Kramdown before 2.3.1 does not restrict Rouge formatters to the Rouge::Formatters namespace, and thus arbitrary classes can be instantiated.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby4.0-rubygem-kramdown-2.4.0-1.17.aarch64",
"openSUSE Tumbleweed:ruby4.0-rubygem-kramdown-2.4.0-1.17.ppc64le",
"openSUSE Tumbleweed:ruby4.0-rubygem-kramdown-2.4.0-1.17.s390x",
"openSUSE Tumbleweed:ruby4.0-rubygem-kramdown-2.4.0-1.17.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-28834",
"url": "https://www.suse.com/security/cve/CVE-2021-28834"
},
{
"category": "external",
"summary": "SUSE Bug 1183814 for CVE-2021-28834",
"url": "https://bugzilla.suse.com/1183814"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby4.0-rubygem-kramdown-2.4.0-1.17.aarch64",
"openSUSE Tumbleweed:ruby4.0-rubygem-kramdown-2.4.0-1.17.ppc64le",
"openSUSE Tumbleweed:ruby4.0-rubygem-kramdown-2.4.0-1.17.s390x",
"openSUSE Tumbleweed:ruby4.0-rubygem-kramdown-2.4.0-1.17.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:ruby4.0-rubygem-kramdown-2.4.0-1.17.aarch64",
"openSUSE Tumbleweed:ruby4.0-rubygem-kramdown-2.4.0-1.17.ppc64le",
"openSUSE Tumbleweed:ruby4.0-rubygem-kramdown-2.4.0-1.17.s390x",
"openSUSE Tumbleweed:ruby4.0-rubygem-kramdown-2.4.0-1.17.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-03-13T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2021-28834"
}
]
}
OPENSUSE-SU-2024:11336-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
ruby2.7-rubygem-kramdown-2.3.1-1.3 on GA media
Severity
Moderate
Notes
Title of the patch: ruby2.7-rubygem-kramdown-2.3.1-1.3 on GA media
Description of the patch: These are all security issues fixed in the ruby2.7-rubygem-kramdown-2.3.1-1.3 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-11336
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.3 (High)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
9.8 (Critical)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
References
| URL | Category | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "ruby2.7-rubygem-kramdown-2.3.1-1.3 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the ruby2.7-rubygem-kramdown-2.3.1-1.3 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-11336",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_11336-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-14001 page",
"url": "https://www.suse.com/security/cve/CVE-2020-14001/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-28834 page",
"url": "https://www.suse.com/security/cve/CVE-2021-28834/"
}
],
"title": "ruby2.7-rubygem-kramdown-2.3.1-1.3 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:11336-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "ruby2.7-rubygem-kramdown-2.3.1-1.3.aarch64",
"product": {
"name": "ruby2.7-rubygem-kramdown-2.3.1-1.3.aarch64",
"product_id": "ruby2.7-rubygem-kramdown-2.3.1-1.3.aarch64"
}
},
{
"category": "product_version",
"name": "ruby3.0-rubygem-kramdown-2.3.1-1.3.aarch64",
"product": {
"name": "ruby3.0-rubygem-kramdown-2.3.1-1.3.aarch64",
"product_id": "ruby3.0-rubygem-kramdown-2.3.1-1.3.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby2.7-rubygem-kramdown-2.3.1-1.3.ppc64le",
"product": {
"name": "ruby2.7-rubygem-kramdown-2.3.1-1.3.ppc64le",
"product_id": "ruby2.7-rubygem-kramdown-2.3.1-1.3.ppc64le"
}
},
{
"category": "product_version",
"name": "ruby3.0-rubygem-kramdown-2.3.1-1.3.ppc64le",
"product": {
"name": "ruby3.0-rubygem-kramdown-2.3.1-1.3.ppc64le",
"product_id": "ruby3.0-rubygem-kramdown-2.3.1-1.3.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby2.7-rubygem-kramdown-2.3.1-1.3.s390x",
"product": {
"name": "ruby2.7-rubygem-kramdown-2.3.1-1.3.s390x",
"product_id": "ruby2.7-rubygem-kramdown-2.3.1-1.3.s390x"
}
},
{
"category": "product_version",
"name": "ruby3.0-rubygem-kramdown-2.3.1-1.3.s390x",
"product": {
"name": "ruby3.0-rubygem-kramdown-2.3.1-1.3.s390x",
"product_id": "ruby3.0-rubygem-kramdown-2.3.1-1.3.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby2.7-rubygem-kramdown-2.3.1-1.3.x86_64",
"product": {
"name": "ruby2.7-rubygem-kramdown-2.3.1-1.3.x86_64",
"product_id": "ruby2.7-rubygem-kramdown-2.3.1-1.3.x86_64"
}
},
{
"category": "product_version",
"name": "ruby3.0-rubygem-kramdown-2.3.1-1.3.x86_64",
"product": {
"name": "ruby3.0-rubygem-kramdown-2.3.1-1.3.x86_64",
"product_id": "ruby3.0-rubygem-kramdown-2.3.1-1.3.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.7-rubygem-kramdown-2.3.1-1.3.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.7-rubygem-kramdown-2.3.1-1.3.aarch64"
},
"product_reference": "ruby2.7-rubygem-kramdown-2.3.1-1.3.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.7-rubygem-kramdown-2.3.1-1.3.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.7-rubygem-kramdown-2.3.1-1.3.ppc64le"
},
"product_reference": "ruby2.7-rubygem-kramdown-2.3.1-1.3.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.7-rubygem-kramdown-2.3.1-1.3.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.7-rubygem-kramdown-2.3.1-1.3.s390x"
},
"product_reference": "ruby2.7-rubygem-kramdown-2.3.1-1.3.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.7-rubygem-kramdown-2.3.1-1.3.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.7-rubygem-kramdown-2.3.1-1.3.x86_64"
},
"product_reference": "ruby2.7-rubygem-kramdown-2.3.1-1.3.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.0-rubygem-kramdown-2.3.1-1.3.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.0-rubygem-kramdown-2.3.1-1.3.aarch64"
},
"product_reference": "ruby3.0-rubygem-kramdown-2.3.1-1.3.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.0-rubygem-kramdown-2.3.1-1.3.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.0-rubygem-kramdown-2.3.1-1.3.ppc64le"
},
"product_reference": "ruby3.0-rubygem-kramdown-2.3.1-1.3.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.0-rubygem-kramdown-2.3.1-1.3.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.0-rubygem-kramdown-2.3.1-1.3.s390x"
},
"product_reference": "ruby3.0-rubygem-kramdown-2.3.1-1.3.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.0-rubygem-kramdown-2.3.1-1.3.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.0-rubygem-kramdown-2.3.1-1.3.x86_64"
},
"product_reference": "ruby3.0-rubygem-kramdown-2.3.1-1.3.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-14001",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-14001"
}
],
"notes": [
{
"category": "general",
"text": "The kramdown gem before 2.3.0 for Ruby processes the template option inside Kramdown documents by default, which allows unintended read access (such as template=\"/etc/passwd\") or unintended embedded Ruby code execution (such as a string that begins with template=\"string://\u003c%= `). NOTE: kramdown is used in Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby2.7-rubygem-kramdown-2.3.1-1.3.aarch64",
"openSUSE Tumbleweed:ruby2.7-rubygem-kramdown-2.3.1-1.3.ppc64le",
"openSUSE Tumbleweed:ruby2.7-rubygem-kramdown-2.3.1-1.3.s390x",
"openSUSE Tumbleweed:ruby2.7-rubygem-kramdown-2.3.1-1.3.x86_64",
"openSUSE Tumbleweed:ruby3.0-rubygem-kramdown-2.3.1-1.3.aarch64",
"openSUSE Tumbleweed:ruby3.0-rubygem-kramdown-2.3.1-1.3.ppc64le",
"openSUSE Tumbleweed:ruby3.0-rubygem-kramdown-2.3.1-1.3.s390x",
"openSUSE Tumbleweed:ruby3.0-rubygem-kramdown-2.3.1-1.3.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-14001",
"url": "https://www.suse.com/security/cve/CVE-2020-14001"
},
{
"category": "external",
"summary": "SUSE Bug 1174297 for CVE-2020-14001",
"url": "https://bugzilla.suse.com/1174297"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby2.7-rubygem-kramdown-2.3.1-1.3.aarch64",
"openSUSE Tumbleweed:ruby2.7-rubygem-kramdown-2.3.1-1.3.ppc64le",
"openSUSE Tumbleweed:ruby2.7-rubygem-kramdown-2.3.1-1.3.s390x",
"openSUSE Tumbleweed:ruby2.7-rubygem-kramdown-2.3.1-1.3.x86_64",
"openSUSE Tumbleweed:ruby3.0-rubygem-kramdown-2.3.1-1.3.aarch64",
"openSUSE Tumbleweed:ruby3.0-rubygem-kramdown-2.3.1-1.3.ppc64le",
"openSUSE Tumbleweed:ruby3.0-rubygem-kramdown-2.3.1-1.3.s390x",
"openSUSE Tumbleweed:ruby3.0-rubygem-kramdown-2.3.1-1.3.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:ruby2.7-rubygem-kramdown-2.3.1-1.3.aarch64",
"openSUSE Tumbleweed:ruby2.7-rubygem-kramdown-2.3.1-1.3.ppc64le",
"openSUSE Tumbleweed:ruby2.7-rubygem-kramdown-2.3.1-1.3.s390x",
"openSUSE Tumbleweed:ruby2.7-rubygem-kramdown-2.3.1-1.3.x86_64",
"openSUSE Tumbleweed:ruby3.0-rubygem-kramdown-2.3.1-1.3.aarch64",
"openSUSE Tumbleweed:ruby3.0-rubygem-kramdown-2.3.1-1.3.ppc64le",
"openSUSE Tumbleweed:ruby3.0-rubygem-kramdown-2.3.1-1.3.s390x",
"openSUSE Tumbleweed:ruby3.0-rubygem-kramdown-2.3.1-1.3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2020-14001"
},
{
"cve": "CVE-2021-28834",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-28834"
}
],
"notes": [
{
"category": "general",
"text": "Kramdown before 2.3.1 does not restrict Rouge formatters to the Rouge::Formatters namespace, and thus arbitrary classes can be instantiated.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby2.7-rubygem-kramdown-2.3.1-1.3.aarch64",
"openSUSE Tumbleweed:ruby2.7-rubygem-kramdown-2.3.1-1.3.ppc64le",
"openSUSE Tumbleweed:ruby2.7-rubygem-kramdown-2.3.1-1.3.s390x",
"openSUSE Tumbleweed:ruby2.7-rubygem-kramdown-2.3.1-1.3.x86_64",
"openSUSE Tumbleweed:ruby3.0-rubygem-kramdown-2.3.1-1.3.aarch64",
"openSUSE Tumbleweed:ruby3.0-rubygem-kramdown-2.3.1-1.3.ppc64le",
"openSUSE Tumbleweed:ruby3.0-rubygem-kramdown-2.3.1-1.3.s390x",
"openSUSE Tumbleweed:ruby3.0-rubygem-kramdown-2.3.1-1.3.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-28834",
"url": "https://www.suse.com/security/cve/CVE-2021-28834"
},
{
"category": "external",
"summary": "SUSE Bug 1183814 for CVE-2021-28834",
"url": "https://bugzilla.suse.com/1183814"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby2.7-rubygem-kramdown-2.3.1-1.3.aarch64",
"openSUSE Tumbleweed:ruby2.7-rubygem-kramdown-2.3.1-1.3.ppc64le",
"openSUSE Tumbleweed:ruby2.7-rubygem-kramdown-2.3.1-1.3.s390x",
"openSUSE Tumbleweed:ruby2.7-rubygem-kramdown-2.3.1-1.3.x86_64",
"openSUSE Tumbleweed:ruby3.0-rubygem-kramdown-2.3.1-1.3.aarch64",
"openSUSE Tumbleweed:ruby3.0-rubygem-kramdown-2.3.1-1.3.ppc64le",
"openSUSE Tumbleweed:ruby3.0-rubygem-kramdown-2.3.1-1.3.s390x",
"openSUSE Tumbleweed:ruby3.0-rubygem-kramdown-2.3.1-1.3.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:ruby2.7-rubygem-kramdown-2.3.1-1.3.aarch64",
"openSUSE Tumbleweed:ruby2.7-rubygem-kramdown-2.3.1-1.3.ppc64le",
"openSUSE Tumbleweed:ruby2.7-rubygem-kramdown-2.3.1-1.3.s390x",
"openSUSE Tumbleweed:ruby2.7-rubygem-kramdown-2.3.1-1.3.x86_64",
"openSUSE Tumbleweed:ruby3.0-rubygem-kramdown-2.3.1-1.3.aarch64",
"openSUSE Tumbleweed:ruby3.0-rubygem-kramdown-2.3.1-1.3.ppc64le",
"openSUSE Tumbleweed:ruby3.0-rubygem-kramdown-2.3.1-1.3.s390x",
"openSUSE Tumbleweed:ruby3.0-rubygem-kramdown-2.3.1-1.3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2021-28834"
}
]
}
GHSA-MQM2-CGPR-P4M6
Vulnerability from github – Published: 2020-08-07 22:27 – Updated: 2022-04-29 20:26
VLAI?
Summary
Unintended read access in kramdown gem
Details
The kramdown gem before 2.3.0 for Ruby processes the template option inside Kramdown documents by default, which allows unintended read access (such as template="/etc/passwd") or unintended embedded Ruby code execution (such as a string that begins with template="string://<%= `). NOTE: kramdown is used in Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum.
Severity ?
9.8 (Critical)
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "kramdown"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-14001"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2020-08-07T22:27:22Z",
"nvd_published_at": "2020-07-17T16:15:00Z",
"severity": "CRITICAL"
},
"details": "The kramdown gem before 2.3.0 for Ruby processes the template option inside Kramdown documents by default, which allows unintended read access (such as template=\"/etc/passwd\") or unintended embedded Ruby code execution (such as a string that begins with template=\"string://\u003c%= `). NOTE: kramdown is used in Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum.",
"id": "GHSA-mqm2-cgpr-p4m6",
"modified": "2022-04-29T20:26:19Z",
"published": "2020-08-07T22:27:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14001"
},
{
"type": "WEB",
"url": "https://github.com/gettalong/kramdown/commit/1b8fd33c3120bfc6e5164b449e2c2fc9c9306fde"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-mqm2-cgpr-p4m6"
},
{
"type": "PACKAGE",
"url": "https://github.com/gettalong/kramdown"
},
{
"type": "WEB",
"url": "https://github.com/gettalong/kramdown/compare/REL_2_2_1...REL_2_3_0"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/kramdown/CVE-2020-14001.yml"
},
{
"type": "WEB",
"url": "https://kramdown.gettalong.org"
},
{
"type": "WEB",
"url": "https://kramdown.gettalong.org/news.html"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r96df7899fbb456fe2705882f710a0c8e8614b573fbffd8d12e3f54d2@%3Cnotifications.fluo.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00014.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ENMMGKHRQIZ3QKGOMBBBGB6B4LB5I7NQ"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KBLTGBYU7NKOUOHDKVCU4GFZMGA6BP4L"
},
{
"type": "WEB",
"url": "https://rubygems.org/gems/kramdown"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20200731-0004"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4562-1"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2020/dsa-4743"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Unintended read access in kramdown gem"
}
BDU:2021-03178
Vulnerability from fstec - Published: 17.07.2020
VLAI Severity ?
Title
Уязвимость компонента kramdown gem интерпретатора Ruby, позволяющая нарушителю выполнить произвольный код
Description
Уязвимость компонента kramdown gem интерпретатора Ruby существует из-за непринятия мер по нейтрализации специальных элементов. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, выполнить произвольный код
Severity ?
Vendor
Сообщество свободного программного обеспечения, Fedora Project, Canonical Ltd., Ruby Team, АО «Концерн ВНИИНС»
Software Name
Debian GNU/Linux, Fedora, Ubuntu, Ruby, ОС ОН «Стрелец» (запись в едином реестре российских программ №6177)
Software Version
9 (Debian GNU/Linux), 10 (Debian GNU/Linux), 31 (Fedora), 32 (Fedora), 20.04 LTS (Ubuntu), до 2.3.0 (Ruby), до 16.01.2023 (ОС ОН «Стрелец»)
Possible Mitigations
Использование рекомендаций:
Обновление интерпретатора Ruby до более новой версии.
Для Debian GNU/Linux:
https://debian.org/security/2020/dsa-4743
Для Fedora:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ENMMGKHRQIZ3QKGOMBBBGB6B4LB5I7NQ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KBLTGBYU7NKOUOHDKVCU4GFZMGA6BP4L/
Для Ubuntu:
https://ubuntu.com/security/notices/USN-4562-1
Для ОС ОН «Стрелец»:
Обновление программного обеспечения ruby-kramdown до версии 1.12.0-1+deb9u1
Reference
https://debian.org/security/2020/dsa-4743
https://security-tracker.debian.org/tracker/CVE-2020-14001
https://nvd.nist.gov/vuln/detail/CVE-2020-14001
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ENMMGKHRQIZ3QKGOMBBBGB6B4LB5I7NQ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KBLTGBYU7NKOUOHDKVCU4GFZMGA6BP4L/
https://ubuntu.com/security/notices/USN-4562-1
https://strelets.net/patchi-i-obnovleniya-bezopasnosti#16012023
CWE
CWE-74
{
"CVSS 2.0": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"CVSS 3.0": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"CVSS 4.0": null,
"remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
"remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
"\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "\u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f, Fedora Project, Canonical Ltd., Ruby Team, \u0410\u041e \u00ab\u041a\u043e\u043d\u0446\u0435\u0440\u043d \u0412\u041d\u0418\u0418\u041d\u0421\u00bb",
"\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "9 (Debian GNU/Linux), 10 (Debian GNU/Linux), 31 (Fedora), 32 (Fedora), 20.04 LTS (Ubuntu), \u0434\u043e 2.3.0 (Ruby), \u0434\u043e 16.01.2023 (\u041e\u0421 \u041e\u041d \u00ab\u0421\u0442\u0440\u0435\u043b\u0435\u0446\u00bb)",
"\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u0438\u043d\u0442\u0435\u0440\u043f\u0440\u0435\u0442\u0430\u0442\u043e\u0440\u0430 Ruby \u0434\u043e \u0431\u043e\u043b\u0435\u0435 \u043d\u043e\u0432\u043e\u0439 \u0432\u0435\u0440\u0441\u0438\u0438.\n\n\u0414\u043b\u044f Debian GNU/Linux:\nhttps://debian.org/security/2020/dsa-4743\n\n\u0414\u043b\u044f Fedora:\nhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ENMMGKHRQIZ3QKGOMBBBGB6B4LB5I7NQ/ \nhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KBLTGBYU7NKOUOHDKVCU4GFZMGA6BP4L/\n\n\u0414\u043b\u044f Ubuntu:\nhttps://ubuntu.com/security/notices/USN-4562-1\n\n\u0414\u043b\u044f \u041e\u0421 \u041e\u041d \u00ab\u0421\u0442\u0440\u0435\u043b\u0435\u0446\u00bb:\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f ruby-kramdown \u0434\u043e \u0432\u0435\u0440\u0441\u0438\u0438 1.12.0-1+deb9u1",
"\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "17.07.2020",
"\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "21.11.2023",
"\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "23.06.2021",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2021-03178",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2020-14001",
"\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
"\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
"\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Debian GNU/Linux, Fedora, Ubuntu, Ruby, \u041e\u0421 \u041e\u041d \u00ab\u0421\u0442\u0440\u0435\u043b\u0435\u0446\u00bb (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21166177)",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "\u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 9 , \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 10 , Fedora Project Fedora 31 , Fedora Project Fedora 32 , Canonical Ltd. Ubuntu 20.04 LTS , \u0410\u041e \u00ab\u041a\u043e\u043d\u0446\u0435\u0440\u043d \u0412\u041d\u0418\u0418\u041d\u0421\u00bb \u041e\u0421 \u041e\u041d \u00ab\u0421\u0442\u0440\u0435\u043b\u0435\u0446\u00bb \u0434\u043e 16.01.2023 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21166177)",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u043c\u043f\u043e\u043d\u0435\u043d\u0442\u0430 kramdown gem \u0438\u043d\u0442\u0435\u0440\u043f\u0440\u0435\u0442\u0430\u0442\u043e\u0440\u0430 Ruby, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434",
"\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u0432\u0435\u0440\u043d\u0430\u044f \u043d\u0435\u0439\u0442\u0440\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u044f \u043e\u0441\u043e\u0431\u044b\u0445 \u044d\u043b\u0435\u043c\u0435\u043d\u0442\u043e\u0432 \u0432 \u0432\u044b\u0445\u043e\u0434\u043d\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u043c\u044b\u0445 \u0432\u0445\u043e\u0434\u044f\u0449\u0438\u043c \u043a\u043e\u043c\u043f\u043e\u043d\u0435\u043d\u0442\u043e\u043c (\u00ab\u0438\u043d\u044a\u0435\u043a\u0446\u0438\u044f\u00bb) (CWE-74)",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u043c\u043f\u043e\u043d\u0435\u043d\u0442\u0430 kramdown gem \u0438\u043d\u0442\u0435\u0440\u043f\u0440\u0435\u0442\u0430\u0442\u043e\u0440\u0430 Ruby \u0441\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442 \u0438\u0437-\u0437\u0430 \u043d\u0435\u043f\u0440\u0438\u043d\u044f\u0442\u0438\u044f \u043c\u0435\u0440 \u043f\u043e \u043d\u0435\u0439\u0442\u0440\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u0438 \u0441\u043f\u0435\u0446\u0438\u0430\u043b\u044c\u043d\u044b\u0445 \u044d\u043b\u0435\u043c\u0435\u043d\u0442\u043e\u0432. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0451\u043d\u043d\u043e, \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434",
"\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
"\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
"\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041c\u0430\u043d\u0438\u043f\u0443\u043b\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u0441\u0443\u0440\u0441\u0430\u043c\u0438",
"\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://debian.org/security/2020/dsa-4743\nhttps://security-tracker.debian.org/tracker/CVE-2020-14001\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-14001\nhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ENMMGKHRQIZ3QKGOMBBBGB6B4LB5I7NQ/ \nhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KBLTGBYU7NKOUOHDKVCU4GFZMGA6BP4L/\nhttps://ubuntu.com/security/notices/USN-4562-1\nhttps://strelets.net/patchi-i-obnovleniya-bezopasnosti#16012023",
"\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
"\u0422\u0438\u043f \u041f\u041e": "\u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c",
"\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-74",
"\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 10)\n\u041a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 9,8)"
}
FKIE_CVE-2020-14001
Vulnerability from fkie_nvd - Published: 2020-07-17 16:15 - Updated: 2024-11-21 05:02
Severity ?
Summary
The kramdown gem before 2.3.0 for Ruby processes the template option inside Kramdown documents by default, which allows unintended read access (such as template="/etc/passwd") or unintended embedded Ruby code execution (such as a string that begins with template="string://<%= `). NOTE: kramdown is used in Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://github.com/gettalong/kramdown | Third Party Advisory | |
| cve@mitre.org | https://github.com/gettalong/kramdown/commit/1b8fd33c3120bfc6e5164b449e2c2fc9c9306fde | Patch, Third Party Advisory | |
| cve@mitre.org | https://github.com/gettalong/kramdown/compare/REL_2_2_1...REL_2_3_0 | Patch, Third Party Advisory | |
| cve@mitre.org | https://kramdown.gettalong.org | Vendor Advisory | |
| cve@mitre.org | https://kramdown.gettalong.org/news.html | Release Notes, Vendor Advisory | |
| cve@mitre.org | https://lists.apache.org/thread.html/r96df7899fbb456fe2705882f710a0c8e8614b573fbffd8d12e3f54d2%40%3Cnotifications.fluo.apache.org%3E | ||
| cve@mitre.org | https://lists.debian.org/debian-lts-announce/2020/08/msg00014.html | Mailing List, Third Party Advisory | |
| cve@mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ENMMGKHRQIZ3QKGOMBBBGB6B4LB5I7NQ/ | ||
| cve@mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KBLTGBYU7NKOUOHDKVCU4GFZMGA6BP4L/ | ||
| cve@mitre.org | https://rubygems.org/gems/kramdown | Third Party Advisory | |
| cve@mitre.org | https://security.netapp.com/advisory/ntap-20200731-0004/ | Third Party Advisory | |
| cve@mitre.org | https://usn.ubuntu.com/4562-1/ | Third Party Advisory | |
| cve@mitre.org | https://www.debian.org/security/2020/dsa-4743 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/gettalong/kramdown | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/gettalong/kramdown/commit/1b8fd33c3120bfc6e5164b449e2c2fc9c9306fde | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/gettalong/kramdown/compare/REL_2_2_1...REL_2_3_0 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://kramdown.gettalong.org | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://kramdown.gettalong.org/news.html | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread.html/r96df7899fbb456fe2705882f710a0c8e8614b573fbffd8d12e3f54d2%40%3Cnotifications.fluo.apache.org%3E | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.debian.org/debian-lts-announce/2020/08/msg00014.html | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ENMMGKHRQIZ3QKGOMBBBGB6B4LB5I7NQ/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KBLTGBYU7NKOUOHDKVCU4GFZMGA6BP4L/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://rubygems.org/gems/kramdown | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.netapp.com/advisory/ntap-20200731-0004/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://usn.ubuntu.com/4562-1/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.debian.org/security/2020/dsa-4743 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| kramdown_project | kramdown | * | |
| debian | debian_linux | 9.0 | |
| debian | debian_linux | 10.0 | |
| fedoraproject | fedora | 31 | |
| fedoraproject | fedora | 32 | |
| canonical | ubuntu_linux | 20.04 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:kramdown_project:kramdown:*:*:*:*:*:ruby:*:*",
"matchCriteriaId": "796E1C66-E0EF-4C52-B378-FE4382555C86",
"versionEndExcluding": "2.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*",
"matchCriteriaId": "80F0FA5D-8D3B-4C0E-81E2-87998286AF33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*",
"matchCriteriaId": "36D96259-24BD-44E2-96D9-78CE1D41F956",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "902B8056-9E37-443B-8905-8AA93E2447FB",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The kramdown gem before 2.3.0 for Ruby processes the template option inside Kramdown documents by default, which allows unintended read access (such as template=\"/etc/passwd\") or unintended embedded Ruby code execution (such as a string that begins with template=\"string://\u003c%= `). NOTE: kramdown is used in Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum."
},
{
"lang": "es",
"value": "La gema kramdown versiones anteriores a 2.3.0 para Ruby procesa la opci\u00f3n de plantilla dentro de los documentos de Kramdown por defecto, lo que permite el acceso de lectura no deseada (tal y como template=\"/etc/passwd\") o la ejecuci\u00f3n de c\u00f3digo Ruby insertado no previsto (tal y como una cadena que comienza con template=\"string://(%= \"). NOTA: kramdown es usado en Jekyll, GitLab Pages, GitHub Pages y Thredded Forum"
}
],
"id": "CVE-2020-14001",
"lastModified": "2024-11-21T05:02:19.567",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-07-17T16:15:11.230",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/gettalong/kramdown"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/gettalong/kramdown/commit/1b8fd33c3120bfc6e5164b449e2c2fc9c9306fde"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/gettalong/kramdown/compare/REL_2_2_1...REL_2_3_0"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://kramdown.gettalong.org"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://kramdown.gettalong.org/news.html"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/r96df7899fbb456fe2705882f710a0c8e8614b573fbffd8d12e3f54d2%40%3Cnotifications.fluo.apache.org%3E"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00014.html"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ENMMGKHRQIZ3QKGOMBBBGB6B4LB5I7NQ/"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KBLTGBYU7NKOUOHDKVCU4GFZMGA6BP4L/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://rubygems.org/gems/kramdown"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20200731-0004/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/4562-1/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2020/dsa-4743"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/gettalong/kramdown"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/gettalong/kramdown/commit/1b8fd33c3120bfc6e5164b449e2c2fc9c9306fde"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/gettalong/kramdown/compare/REL_2_2_1...REL_2_3_0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://kramdown.gettalong.org"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://kramdown.gettalong.org/news.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r96df7899fbb456fe2705882f710a0c8e8614b573fbffd8d12e3f54d2%40%3Cnotifications.fluo.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00014.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ENMMGKHRQIZ3QKGOMBBBGB6B4LB5I7NQ/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KBLTGBYU7NKOUOHDKVCU4GFZMGA6BP4L/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://rubygems.org/gems/kramdown"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20200731-0004/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/4562-1/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2020/dsa-4743"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GSD-2020-14001
Vulnerability from gsd - Updated: 2020-06-28 00:00Details
The kramdown gem before 2.3.0 for Ruby processes the template option inside
Kramdown documents by default, which allows unintended read access (such as
template="/etc/passwd") or unintended embedded Ruby code execution (such as a
string that begins with template="string://<%= `). NOTE: kramdown is used in
Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2020-14001",
"description": "The kramdown gem before 2.3.0 for Ruby processes the template option inside Kramdown documents by default, which allows unintended read access (such as template=\"/etc/passwd\") or unintended embedded Ruby code execution (such as a string that begins with template=\"string://\u003c%= `). NOTE: kramdown is used in Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum.",
"id": "GSD-2020-14001",
"references": [
"https://www.suse.com/security/cve/CVE-2020-14001.html",
"https://www.debian.org/security/2020/dsa-4743",
"https://ubuntu.com/security/CVE-2020-14001"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "kramdown",
"purl": "pkg:gem/kramdown"
}
}
],
"aliases": [
"CVE-2020-14001",
"GHSA-mqm2-cgpr-p4m6"
],
"details": "The kramdown gem before 2.3.0 for Ruby processes the template option inside\nKramdown documents by default, which allows unintended read access (such as\ntemplate=\"/etc/passwd\") or unintended embedded Ruby code execution (such as a\nstring that begins with template=\"string://\u003c%= `). NOTE: kramdown is used in\nJekyll, GitLab Pages, GitHub Pages, and Thredded Forum.\n",
"id": "GSD-2020-14001",
"modified": "2020-06-28T00:00:00.000Z",
"published": "2020-06-28T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/advisories/GHSA-mqm2-cgpr-p4m6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 7.5,
"type": "CVSS_V2"
},
{
"score": 9.8,
"type": "CVSS_V3"
}
],
"summary": "Unintended read access in kramdown gem"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-14001",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The kramdown gem before 2.3.0 for Ruby processes the template option inside Kramdown documents by default, which allows unintended read access (such as template=\"/etc/passwd\") or unintended embedded Ruby code execution (such as a string that begins with template=\"string://\u003c%= `). NOTE: kramdown is used in Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/gettalong/kramdown",
"refsource": "MISC",
"url": "https://github.com/gettalong/kramdown"
},
{
"name": "https://kramdown.gettalong.org",
"refsource": "MISC",
"url": "https://kramdown.gettalong.org"
},
{
"name": "https://rubygems.org/gems/kramdown",
"refsource": "MISC",
"url": "https://rubygems.org/gems/kramdown"
},
{
"name": "https://kramdown.gettalong.org/news.html",
"refsource": "CONFIRM",
"url": "https://kramdown.gettalong.org/news.html"
},
{
"name": "https://github.com/gettalong/kramdown/commit/1b8fd33c3120bfc6e5164b449e2c2fc9c9306fde",
"refsource": "CONFIRM",
"url": "https://github.com/gettalong/kramdown/commit/1b8fd33c3120bfc6e5164b449e2c2fc9c9306fde"
},
{
"name": "https://github.com/gettalong/kramdown/compare/REL_2_2_1...REL_2_3_0",
"refsource": "CONFIRM",
"url": "https://github.com/gettalong/kramdown/compare/REL_2_2_1...REL_2_3_0"
},
{
"name": "https://security.netapp.com/advisory/ntap-20200731-0004/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20200731-0004/"
},
{
"name": "[fluo-notifications] 20200808 [GitHub] [fluo-website] ctubbsii opened a new pull request #194: Update gems",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r96df7899fbb456fe2705882f710a0c8e8614b573fbffd8d12e3f54d2@%3Cnotifications.fluo.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20200809 [SECURITY] [DLA 2316-1] ruby-kramdown security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00014.html"
},
{
"name": "DSA-4743",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2020/dsa-4743"
},
{
"name": "FEDORA-2020-f6eee9a2d3",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KBLTGBYU7NKOUOHDKVCU4GFZMGA6BP4L/"
},
{
"name": "FEDORA-2020-5c70d97eca",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ENMMGKHRQIZ3QKGOMBBBGB6B4LB5I7NQ/"
},
{
"name": "USN-4562-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4562-1/"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2020-14001",
"cvss_v2": 7.5,
"cvss_v3": 9.8,
"date": "2020-06-28",
"description": "The kramdown gem before 2.3.0 for Ruby processes the template option inside\nKramdown documents by default, which allows unintended read access (such as\ntemplate=\"/etc/passwd\") or unintended embedded Ruby code execution (such as a\nstring that begins with template=\"string://\u003c%= `). NOTE: kramdown is used in\nJekyll, GitLab Pages, GitHub Pages, and Thredded Forum.\n",
"gem": "kramdown",
"ghsa": "mqm2-cgpr-p4m6",
"patched_versions": [
"\u003e= 2.3.0"
],
"title": "Unintended read access in kramdown gem",
"url": "https://github.com/advisories/GHSA-mqm2-cgpr-p4m6"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c2.3.0",
"affected_versions": "All versions before 2.3.0",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-74",
"CWE-937"
],
"date": "2021-07-21",
"description": "The kramdown gem processes the template option inside Kramdown documents by default, which allows unintended read access (such as `template=\"`/etc/passwd`\"`) or unintended embedded Ruby code execution.",
"fixed_versions": [
"2.3.0"
],
"identifier": "CVE-2020-14001",
"identifiers": [
"CVE-2020-14001"
],
"not_impacted": "All versions starting from 2.3.0",
"package_slug": "gem/kramdown",
"pubdate": "2020-07-17",
"solution": "Upgrade to version 2.3.0 or above.",
"title": "Injection Vulnerability",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2020-14001",
"https://kramdown.gettalong.org",
"https://kramdown.gettalong.org/news.html"
],
"uuid": "f983bf7e-3d1e-431d-8f47-8a11c0b1b210"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:kramdown_project:kramdown:*:*:*:*:*:ruby:*:*",
"cpe_name": [],
"versionEndExcluding": "2.3.0",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-14001"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "The kramdown gem before 2.3.0 for Ruby processes the template option inside Kramdown documents by default, which allows unintended read access (such as template=\"/etc/passwd\") or unintended embedded Ruby code execution (such as a string that begins with template=\"string://\u003c%= `). NOTE: kramdown is used in Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://kramdown.gettalong.org",
"refsource": "MISC",
"tags": [
"Vendor Advisory"
],
"url": "https://kramdown.gettalong.org"
},
{
"name": "https://kramdown.gettalong.org/news.html",
"refsource": "CONFIRM",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://kramdown.gettalong.org/news.html"
},
{
"name": "https://github.com/gettalong/kramdown/compare/REL_2_2_1...REL_2_3_0",
"refsource": "CONFIRM",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/gettalong/kramdown/compare/REL_2_2_1...REL_2_3_0"
},
{
"name": "https://github.com/gettalong/kramdown",
"refsource": "MISC",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/gettalong/kramdown"
},
{
"name": "https://github.com/gettalong/kramdown/commit/1b8fd33c3120bfc6e5164b449e2c2fc9c9306fde",
"refsource": "CONFIRM",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/gettalong/kramdown/commit/1b8fd33c3120bfc6e5164b449e2c2fc9c9306fde"
},
{
"name": "https://rubygems.org/gems/kramdown",
"refsource": "MISC",
"tags": [
"Third Party Advisory"
],
"url": "https://rubygems.org/gems/kramdown"
},
{
"name": "https://security.netapp.com/advisory/ntap-20200731-0004/",
"refsource": "CONFIRM",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20200731-0004/"
},
{
"name": "[fluo-notifications] 20200808 [GitHub] [fluo-website] ctubbsii opened a new pull request #194: Update gems",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.apache.org/thread.html/r96df7899fbb456fe2705882f710a0c8e8614b573fbffd8d12e3f54d2@%3Cnotifications.fluo.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20200809 [SECURITY] [DLA 2316-1] ruby-kramdown security update",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00014.html"
},
{
"name": "DSA-4743",
"refsource": "DEBIAN",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2020/dsa-4743"
},
{
"name": "FEDORA-2020-5c70d97eca",
"refsource": "FEDORA",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ENMMGKHRQIZ3QKGOMBBBGB6B4LB5I7NQ/"
},
{
"name": "FEDORA-2020-f6eee9a2d3",
"refsource": "FEDORA",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KBLTGBYU7NKOUOHDKVCU4GFZMGA6BP4L/"
},
{
"name": "USN-4562-1",
"refsource": "UBUNTU",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/4562-1/"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9
}
},
"lastModifiedDate": "2022-04-28T18:57Z",
"publishedDate": "2020-07-17T16:15Z"
}
}
}
Loading…
Show additional events:
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…