Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
rubygemsRubySecRUBY:ASCIIDOCTOR-INCLUDE-EXT-2022-24803
HistoryMar 30, 2022 - 9:00 p.m.

Command Injection vulnerability in asciidoctor-include-ext

2022-03-3021:00:00
RubySec
github.com
10
asciidoctor
ruby
asciidoctor-include-ext
command injection
vulnerability
patches
workarounds
asciidoc markup
system commands
security fix

CVSS2

10

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

10

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

JSON

Impact

Applications using Asciidoctor (Ruby)
with asciidoctor-include-ext
(prior to version 0.4.0), which render user-supplied input in AsciiDoc markup, may
allow an attacker to execute arbitrary system commands on the host operating system.
This attack is possible even when allow-uri-read is disabled!

Patches

The vulnerability has been fixed in commit c7ea001 (and further improved in cbaccf3),
which is included in version
0.4.0.

Workarounds

require 'asciidoctor/include_ext'

class Asciidoctor::IncludeExt::IncludeProcessor
  # Overrides superclass private method to mitigate Command Injection
  # vulnerability in asciidoctor-include-ext <0.4.0.
  def target_uri?(target)
    target.downcase.start_with?('http://', 'https://') \
      && URI.parse(target).is_a?(URI::HTTP)
  rescue URI::InvalidURIError
    false
  end
end

References

Affected configurations

Vulners
Node
rubyasciidoctor-include-extRange0.4.0
VendorProductVersionCPE
rubyasciidoctor-include-ext*cpe:2.3:a:ruby:asciidoctor-include-ext:*:*:*:*:*:*:*:*

Related

debiancve 1
osv 2
prion 1
nvd 1
ubuntucve 1
github 1
cvelist 1
veracode 1
cve 1
debiancve
debiancve
CVE-2022-24803
2022-04-01 00:15:08
osv
osv
CVE-2022-24803
2022-04-01 00:15:08
Command Injection vulnerability in asciidoctor-include-ext
2022-03-31 23:27:15
prion
prion
Design/Logic Flaw
2022-04-01 00:15:00
nvd
nvd
CVE-2022-24803
2022-04-01 00:15:08
ubuntucve
ubuntucve
CVE-2022-24803
2022-04-01 00:00:00
github
github
Command Injection vulnerability in asciidoctor-include-ext
2022-03-31 23:27:15
cvelist
cvelist
CVE-2022-24803 Command Injection vulnerability in asciidoctor-include-ext
2022-03-31 23:30:14
veracode
veracode
Command Injection
2022-04-01 03:24:07
cve
cve
CVE-2022-24803
2022-04-01 00:15:08

CVSS2

10

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

10

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

JSON
Related for RUBY:ASCIIDOCTOR-INCLUDE-EXT-2022-24803
debiancve1osv2prion1nvd1ubuntucve1github1cvelist1veracode1cve1