DSA-4743-1 ruby-kramdown -- ruby-kramdownID: oval:org.secpod.oval:def:604984 | Date: (C)2020-08-31 (M)2023-11-13 |
Class: PATCH | Family: unix |
A flaw was discovered in ruby-kramdown, a fast, pure ruby, Markdown parser and converter, which could result in unintended read access to files or unintended embedded Ruby code execution when the {::options /} extension is used together with the "template" option. The Update introduces a new option "forbidden_inline_options" to restrict the options allowed with the {::options /} extension. By default the "template" option is forbidden.