CVE-2021-28834
Published
CVSS v3
9.8
CRITICAL
CVSS v2
6.8
MEDIUM
Affected
2
PROJECTS
Description
Kramdown before 2.3.1 does not restrict Rouge formatters to the Rouge::Formatters namespace, and thus arbitrary classes can be instantiated.
kramdown is a fast, pure Ruby Markdown superset converter, using a strict syntax definition and supporting several common extensions.
GitHub