Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update codebase to patch kramdown vulnerability. #20

Open
jestill opened this issue Oct 6, 2020 · 1 comment
Open

Update codebase to patch kramdown vulnerability. #20

jestill opened this issue Oct 6, 2020 · 1 comment
Labels
bug

Comments

@jestill
Copy link

jestill commented Oct 6, 2020
edited
Loading

I have a dependabot (https://dependabot.com/) scan running on repos I am attached to. It identified a high severity vulnerability in this code base. I pushed a button to fix it. I think that this should come through as a pull request.
@jestill jestill added the bug label Oct 6, 2020
@jestill
Copy link
Author

jestill commented Oct 6, 2020

Info from dependabot is

CVE-2020-14001
high severity
Vulnerable versions: < 2.3.0
Patched version: 2.3.0
The kramdown gem before 2.3.0 for Ruby processes the template option inside Kramdown documents by default, which allows unintended read access (such as template="/etc/passwd") or unintended embedded Ruby code execution (such as a string that begins with template="string://<%= `). NOTE: kramdown is used in Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jestill