GHSA-mq6v-w35g-3c97: Local File Inclusion vulnerability in zmarkdown
(updated )
A minor Local File Inclusion vulnerability has been found in
zmarkdown, which allowed for images with a known path on
the host machine to be included inside a LaTeX document.
To prevent it, a new option has been created that allow to replace
invalid paths with a default image instead of linking the image on the
host directly. zmarkdown has been updated to make this setting the
default.
Every user of zmarkdown is likely impacted, except if
disabling LaTeX generation or images download. Here
is an example of including an image from an invalid path:
Will effectively redownload and include the image
found at /tmp/img.png.
References
Detect and mitigate GHSA-mq6v-w35g-3c97 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →