Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
githubGitHub Advisory DatabaseGHSA-V222-6MR4-QJ29
HistoryMar 31, 2022 - 11:27 p.m.

Command Injection vulnerability in asciidoctor-include-ext

2022-03-3123:27:15
CWE-78
GitHub Advisory Database
github.com
19
asciidoctor
ruby
command injection

CVSS2

10

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

10

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS

0.004

Percentile

74.9%

JSON

Impact

Applications using Asciidoctor (Ruby) with asciidoctor-include-ext (prior to version 0.4.0), which render user-supplied input in AsciiDoc markup, may allow an attacker to execute arbitrary system commands on the host operating system. This attack is possible even when allow-uri-read is disabled! (EDIT: it’s not)

Patches

The vulnerability has been fixed in commit c7ea001 (and further improved in cbaccf3), which is included in version 0.4.0.

Workarounds

require 'asciidoctor/include_ext'

class Asciidoctor::IncludeExt::IncludeProcessor
  # Overrides superclass private method to mitigate Command Injection
  # vulnerability in asciidoctor-include-ext <0.4.0.
  def target_uri?(target)
    target.downcase.start_with?('http://', 'https://') \
      && URI.parse(target).is_a?(URI::HTTP)
  rescue URI::InvalidURIError
    false
  end
end

References

Credits

This vulnerability was discovered by Joern Schneeweisz from the GitLab Security Research Team.

For more information

See commit message c7ea001.

If you have any questions or comments about this advisory open an issue in jirutka/asciidoctor-include-ext.

Affected configurations

Vulners
Node
asciidoctor-include-ext_projectasciidoctor-include-extRange<0.4.0
VendorProductVersionCPE
asciidoctor-include-ext_projectasciidoctor-include-ext*cpe:2.3:a:asciidoctor-include-ext_project:asciidoctor-include-ext:*:*:*:*:*:*:*:*

Related

debiancve 1
rubygems 1
osv 2
prion 1
nvd 1
ubuntucve 1
cvelist 1
veracode 1
cve 1
debiancve
debiancve
CVE-2022-24803
2022-04-01 00:15:08
rubygems
rubygems
Command Injection vulnerability in asciidoctor-include-ext
2022-03-30 21:00:00
osv
osv
CVE-2022-24803
2022-04-01 00:15:08
Command Injection vulnerability in asciidoctor-include-ext
2022-03-31 23:27:15
prion
prion
Design/Logic Flaw
2022-04-01 00:15:00
nvd
nvd
CVE-2022-24803
2022-04-01 00:15:08
ubuntucve
ubuntucve
CVE-2022-24803
2022-04-01 00:00:00
cvelist
cvelist
CVE-2022-24803 Command Injection vulnerability in asciidoctor-include-ext
2022-03-31 23:30:14
veracode
veracode
Command Injection
2022-04-01 03:24:07
cve
cve
CVE-2022-24803
2022-04-01 00:15:08

CVSS2

10

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

10

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS

0.004

Percentile

74.9%

JSON
Related for GHSA-V222-6MR4-QJ29
debiancve1rubygems1osv2prion1nvd1ubuntucve1cvelist1veracode1cve1