CVE-2021-28834

Code Injection in gem/kramdown

Identifier

CVE-2021-28834

Package Slug

gem/kramdown

Vulnerability

Code Injection

Description

Kramdown does not restrict Rouge formatters to the Rouge::Formatters namespace, and thus arbitrary classes can be instantiated.

Affected Versions

All versions before 2.3.1

Solution

Upgrade to version 2.3.1 or above.

Last Modified

2021-03-26

source