logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2022-24803 asciidoctor-include-ext

Package

Manager: gem
Name: asciidoctor-include-ext
Vulnerable Version: >=0 <0.4.0

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.01313 pctl0.79045

Details

Command Injection vulnerability in asciidoctor-include-ext ### Impact Applications using [Asciidoctor (Ruby)](https://github.com/asciidoctor/asciidoctor) with [asciidoctor-include-ext](https://github.com/jirutka/asciidoctor-include-ext) (prior to version 0.4.0), which render user-supplied input in AsciiDoc markup, may allow an attacker to execute arbitrary system commands on the host operating system. ~~This attack is possible even when `allow-uri-read` is disabled!~~ (EDIT: it’s not) ### Patches The vulnerability has been fixed in commit c7ea001 (and further improved in cbaccf3), which is included in version [0.4.0](https://rubygems.org/gems/asciidoctor-include-ext/versions/0.4.0). ### Workarounds ```rb require 'asciidoctor/include_ext' class Asciidoctor::IncludeExt::IncludeProcessor # Overrides superclass private method to mitigate Command Injection # vulnerability in asciidoctor-include-ext <0.4.0. def target_uri?(target) target.downcase.start_with?('http://', 'https://') \ && URI.parse(target).is_a?(URI::HTTP) rescue URI::InvalidURIError false end end ``` ### References * https://sakurity.com/blog/2015/02/28/openuri.html ### Credits This vulnerability was discovered by Joern Schneeweisz from the GitLab Security Research Team. ### For more information See commit message c7ea001. If you have any questions or comments about this advisory open an issue in [jirutka/asciidoctor-include-ext](https://github.com/jirutka/asciidoctor-include-ext/issues/).

Metadata

Created: 2022-03-31T23:27:15Z
Modified: 2023-05-16T15:46:19Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-v222-6mr4-qj29/GHSA-v222-6mr4-qj29.json
CWE IDs: ["CWE-78"]
Alternative ID: GHSA-v222-6mr4-qj29
Finding: F404
Auto approve: 1