GHSA-2c83-wfv3-q25f – rebber

Package

Manager: npm
Name: rebber
Vulnerable Version: >=0 <5.2.1

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:U/RC:R

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: N/A pctlN/A

Details

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in ZMarkdown ### Impact A Remote Command Execution vulnerability was found in the rebber module, which allowed execution of arbitrary commands. The reported problem came from CodeBlocks, which could be escaped to insert malicious LaTeX. Anyone using `rebber` without sanitation of code content or a custom macro is impacted by this vulnerability. Here is an example of a Markdown content that will exploit the vulnerability: ````markdown ``` \end{CodeBlock} \immediate\write18{COMMAND > outputrce} \input{outputrce} \begin{CodeBlock}{text} ``` ```` Will insert into the generated LaTeX the result of executing `COMMAND` on the system. ### Patches The vulnerability has been patched in version 5.2.1. If impacted, you should update to this version as soon as possible. ### Workarounds It is possible to mitigate the vulnerability without upgrading by using a custom code macro. Please make sure this custom macro escapes your closing LaTeX sequence. For the example above, use: ```javascript const escaped = content.replace(new RegExp('\\\\end\\s*{CodeBlock}', 'g'), '') ``` ### For more information If you have any questions or comments about this advisory, open an issue in [ZMarkdown](https://github.com/zestedesavoir/zmarkdown/issues).

Metadata

Created: 2021-09-07T23:07:56Z
Modified: 2021-09-07T14:04:47Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-2c83-wfv3-q25f/GHSA-2c83-wfv3-q25f.json
CWE IDs: ["CWE-78"]
Alternative ID: N/A
Finding: F004
Auto approve: 1