CVE-2020-14001 remediation

on under Jekyll,
2 minute read

We need to update kramdown(1.17) because of a critical vunerability;

$ bundle audit --update

Name: kramdown
Version: 1.17.0
Advisory: CVE-2020-14001
Criticality: Critical
URL: https://github.com/advisories/GHSA-mqm2-cgpr-p4m6
Title: Unintended read access in kramdown gem
Solution: upgrade to >= 2.3.0

Vulnerabilities found!

However, upgrading kramdown is not as simple as editing the Gemfile and running bundle install or gem update simply because kramdown(1.14) is a dependency of jekyll(3.8.7);

jekyll (3.8.7)
 47       addressable (~> 2.4)
 48       colorator (~> 1.0)
 49       em-websocket (~> 0.5)
 50       i18n (~> 0.7)
 51       jekyll-sass-converter (~> 1.0)
 52       jekyll-watch (~> 2.0)
 53       kramdown (~> 1.14)
 54       liquid (~> 4.0)
 55       mercenary (~> 0.3.3)
 56       pathutil (~> 0.9)
 57       rouge (>= 1.7, < 4)
 58       safe_yaml (~> 1.0)

and is thus fixed. Btw, all version of kramdown < 2.3.0 are vulnerable to CVE-2020-14001.

So to fix that, we could try running; bundle update --patch --conservative kramdown

But bundle reports back with; Bundler attempted to update kramdown but its version stayed the same

So upgrading to Jekyll 3.9.0+ is our next option since that comes with kramdown v2.0+;

$ vi Gemfile
 11 # Happy Jekylling!
 12 gem "jekyll", "~> 4.0"
 13

Now when we run bundle update jekyll jekyll(3.8.7) and it’s dependencies including kramdown are updated.

jekyll (4.1.1)
 47       addressable (~> 2.4)
 48       colorator (~> 1.0)
 49       em-websocket (~> 0.5)
 50       i18n (~> 1.0)
 51       jekyll-sass-converter (~> 2.0)
 52       jekyll-watch (~> 2.0)
 53       kramdown (~> 2.1)
 54       kramdown-parser-gfm (~> 1.0)
 55       liquid (~> 4.0)
 56       mercenary (~> 0.4.0)
 57       pathutil (~> 0.9)
 58       rouge (~> 3.0)
 59       safe_yaml (~> 1.0)
 60       terminal-table (~> 1.8)


CVE-2020-14001?

According to the national vulnerability database (NVD), CVE-2020-14001 is a critical vulnerability

which allows unintended read access (such as template=/etc/passwd) or unintended embedded Ruby code execution (such as a string that begins with template=”string://<%=`).


HTML & CSS in kramdown

You can apply a CSS class anywhere in your karmdown file using the {: .className} option which makes it easier to style different parts of your karmdown. karmdown also allows HTML mixing;

{::options parse_span_html ="true" /}

…the kramdown parser processes the content of span HTML tags as text containing span-level elements.


The Problem With The Extension

Setting {::options template="/etc/passwd"} allows unintended read access to /etc/passwd which can help an attacker guess user passwords or gain access to other crucial files in /etc such as /etc/shadow.

To mitigate the vulnerability, a forbidden_inline_options option was added in karmdown 2.3.0.

This allows developers

to restrict options allowed with the {::options /} extensions.
update, kramdown, security, vulnerability, CVE-2020-14001
comments powered by Disqus
Made with by Levis Agaba