CVE-2020-14001: Injection Vulnerability

July 17, 2020 (updated July 21, 2021)

The kramdown gem processes the template option inside Kramdown documents by default, which allows unintended read access (such as template="/etc/passwd") or unintended embedded Ruby code execution.

References

kramdown.gettalong.org/
kramdown.gettalong.org/news.html
nvd.nist.gov/vuln/detail/CVE-2020-14001

Detect and mitigate CVE-2020-14001 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →