CVE-2020-14001

CRITICAL

kramdown < 2.3.0 - Unauthenticated Arbitrary File Read and Remote Code Execution via Template Option

Title source: llm
STIX 2.1

Description

The kramdown gem before 2.3.0 for Ruby processes the template option inside Kramdown documents by default, which allows unintended read access (such as template="/etc/passwd") or unintended embedded Ruby code execution (such as a string that begins with template="string://<%= `). NOTE: kramdown is used in Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum.

References (13)

Core 13
Core References
Vendor Advisory x_refsource_misc
https://kramdown.gettalong.org
Third Party Advisory x_refsource_misc
https://rubygems.org/gems/kramdown
Release Notes, Vendor Advisory x_refsource_confirm
https://kramdown.gettalong.org/news.html
Patch, Third Party Advisory x_refsource_confirm
https://github.com/gettalong/kramdown/compare/REL_2_2_1...REL_2_3_0
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20200731-0004/
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2020/08/msg00014.html
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2020/dsa-4743
Third Party Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/4562-1/

Scores

CVSS v3 9.8
EPSS 0.0935
EPSS Percentile 92.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-862
Status published
Products (7)
canonical/ubuntu_linux 20.04
debian/debian_linux 9.0
debian/debian_linux 10.0
fedoraproject/fedora 31
fedoraproject/fedora 32
kramdown_project/kramdown < 2.3.0
rubygems/kramdown 0 - 2.3.0RubyGems
Published Jul 17, 2020
Tracked Since Feb 18, 2026