SUSE update for rubygem-kramdown



Published: 2022-09-12
Risk High
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2020-14001
CWE-ID CWE-74
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
SUSE Linux Enterprise Storage
Operating systems & Components / Operating system

SUSE Manager Retail Branch Server
Operating systems & Components / Operating system

SUSE Linux Enterprise High Availability
Operating systems & Components / Operating system

SUSE Manager Proxy
Operating systems & Components / Operating system

SUSE Manager Server
Operating systems & Components / Operating system

SUSE Linux Enterprise Server for SAP Applications
Operating systems & Components / Operating system

SUSE Linux Enterprise High Performance Computing
Operating systems & Components / Operating system

SUSE Linux Enterprise Server
Operating systems & Components / Operating system

openSUSE Leap
Operating systems & Components / Operating system

ruby2.5-rubygem-kramdown-testsuite
Operating systems & Components / Operating system package or component

ruby2.5-rubygem-kramdown-doc
Operating systems & Components / Operating system package or component

ruby2.5-rubygem-kramdown
Operating systems & Components / Operating system package or component

Vendor SuSE

Security Bulletin

This security bulletin contains one high risk vulnerability.

1) Improper Neutralization of Special Elements in Output Used by a Downstream Component

EUVDB-ID: #VU31897

Risk: High

CVSSv3.1:

CVE-ID: CVE-2020-14001

CWE-ID: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the system.

The vulnerability exists due to improper validation of input. A remote attacker can gain read access (such as template="/etc/passwd") or embedded Ruby code execution (such as a string that begins with template="string://<%= `).

Mitigation

Update the affected package rubygem-kramdown to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Storage: 6 - 7.1

SUSE Manager Retail Branch Server: 4.0 - 4.3

SUSE Linux Enterprise High Availability: 15-SP1 - 15-SP4

SUSE Manager Proxy: 4.0 - 4.3

SUSE Manager Server: 4.0 - 4.3

SUSE Linux Enterprise Server for SAP Applications: 15 - 15-SP4

SUSE Linux Enterprise High Performance Computing: 15 - 15-SP4

SUSE Linux Enterprise Server: 15-SP1 - 15-SP4

openSUSE Leap: 15.3 - 15.4

ruby2.5-rubygem-kramdown-testsuite: before 1.15.0-150000.3.3.1

ruby2.5-rubygem-kramdown-doc: before 1.15.0-150000.3.3.1

ruby2.5-rubygem-kramdown: before 1.15.0-150000.3.3.1


CPE2.3 External links

http://www.suse.com/support/update/announcement/2022/suse-su-20223259-1/

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###