Sync GitHub Security Advisories

* Add CVE-2021-28834 for kramdown * Add CVE-2020-24392 for twitter-stream
rubysec · Mar 30, 2021 · d06e48b · d06e48b
1 parent 77b2438
commit d06e48b
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 0 deletions.
diff --git a/gems/kramdown/CVE-2021-28834.yml b/gems/kramdown/CVE-2021-28834.yml
@@ -0,0 +1,23 @@
+---
+gem: kramdown
+cve: 2021-28834
+ghsa: 52p9-v744-mwjj
+url: https://github.com/advisories/GHSA-52p9-v744-mwjj
+date: 2021-03-29
+title: Remote code execution in Kramdown
+description: |
+  Kramdown before 2.3.1 does not restrict Rouge formatters to the Rouge::Formatters
+  namespace, and thus arbitrary classes can be instantiated.
+
+cvss_v3: 9.8
+
+patched_versions:
+  - ">= 2.3.1"
+
+unaffected_versions:
+  - "< 1.16.0"
+
+related:
+  url:
+    - https://github.com/gettalong/kramdown/pull/708
+    - https://about.gitlab.com/releases/2021/03/17/security-release-gitlab-13-9-4-released/#remote-code-execution-via-unsafe-user-controlled-markdown-rendering-options
diff --git a/gems/twitter-stream/CVE-2020-24392.yml b/gems/twitter-stream/CVE-2020-24392.yml
@@ -0,0 +1,13 @@
+---
+gem: twitter-stream
+cve: 2020-24392
+ghsa: p6p8-q4pj-f74m
+url: https://securitylab.github.com/advisories/GHSL-2020-097-voloko-twitter-stream/
+date: 2021-03-29
+title: Improper Certificate Validation in twitter-stream
+description: |
+  In voloko twitter-stream 0.1.16, missing TLS hostname validation allows
+  an attacker to perform a man-in-the-middle attack against users of the library (because
+  eventmachine is misused).
+
+cvss_v3: 5.9