Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update kramdown to remedy CVE vulnerability #2940

Merged
merged 1 commit into from
Aug 8, 2020
Merged

Update kramdown to remedy CVE vulnerability #2940

merged 1 commit into from
Aug 8, 2020

Conversation

schalkms
Copy link
Member

@schalkms schalkms commented Aug 8, 2020

CVE-2020-14001 high severity
Vulnerable versions: < 2.3.0
Patched version: 2.3.0
The kramdown gem before 2.3.0 for Ruby processes the template option inside Kramdown documents by default, which allows unintended read access (such as template="/etc/passwd") or unintended embedded Ruby code execution (such as a string that begins with template="string://<%= `). NOTE: kramdown is used in Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum.

CVE-2020-14001 high severity
Vulnerable versions: < 2.3.0
Patched version: 2.3.0
The kramdown gem before 2.3.0 for Ruby processes the template option inside Kramdown documents by default, which allows unintended read access (such as template="/etc/passwd") or unintended embedded Ruby code execution (such as a string that begins with template="string://<%= `). NOTE: kramdown is used in Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum.
@codecov
Copy link

codecov bot commented Aug 8, 2020

Codecov Report

Merging #2940 into master will not change coverage.
The diff coverage is n/a.

Impacted file tree graph

@@            Coverage Diff            @@
##             master    #2940   +/-   ##
=========================================
  Coverage     80.28%   80.28%           
  Complexity     2454     2454           
=========================================
  Files           421      421           
  Lines          7405     7405           
  Branches       1356     1356           
=========================================
  Hits           5945     5945           
  Misses          757      757           
  Partials        703      703           

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 0241d9f...3df95ab. Read the comment docs.

@schalkms schalkms merged commit c1bf0b3 into master Aug 8, 2020
@schalkms schalkms deleted the kramdown branch August 8, 2020 08:57
@arturbosch arturbosch added the housekeeping Marker for housekeeping tasks and refactorings label Aug 9, 2020
@arturbosch arturbosch added this to the 1.11.0 milestone Aug 9, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
housekeeping Marker for housekeeping tasks and refactorings
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants