Kramdown Template Option Processing Vulnerability Allowing File Read and Code Execution

A vulnerability exists in the kramdown gem, specifically in versions prior to 2.3.0, within the default processing of the 'template' option in Kramdown documents. This behavior can lead to unintended read access to sensitive files, such as '/etc/passwd', or unauthorized execution of embedded Ruby code. The vulnerability is triggered when the '{::options}' extension is used with the 'template' option, allowing crafted input to be processed in a way that could execute arbitrary code or access restricted files. Kramdown is a Markdown parser and converter written in Ruby, and this vulnerability affects multiple NetApp products that incorporate Ruby.

Impact

Exploitation of this vulnerability could result in unauthorized read access to sensitive files, execution of arbitrary Ruby code, or a denial-of-service condition.

Reproduction

To reproduce this vulnerability, create a Kramdown document that includes the '{::options template="/etc/passwd"}' directive. This can be done by using the Kramdown command-line tool or by incorporating the vulnerable version of the kramdown gem into a Ruby application. When the document is processed, the 'template' option will be applied by default, leading to the unintended read access or code execution.

Remediation

Users can upgrade to kramdown version 2.3.0 or later, where this vulnerability has been addressed. Instructions for updating can be found in the RubyGems documentation.