CVE-2020-14001

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions kramdown gem versions prior to 2.3.0

Description The issue exists due to the kramdown gem's failure to neutralize special elements, allowing a remote attacker to execute arbitrary code. This can lead to unintended read access or execution of embedded Ruby code. For example, an attacker could exploit this by using a string that begins with template=, allowing access to sensitive files like /etc/passwd or executing Ruby code.

Recommendations For versions prior to 2.3.0, update to version 2.3.0 or later to resolve the issue. As a temporary workaround, consider disabling the template option inside Kramdown documents to minimize the risk of exploitation. Restrict access to sensitive files and embedded Ruby code execution until the issue is resolved.

Exploit

Fix

Missing Authorization

Special Elements Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862CWE-74

Related Identifiers

ALT-PU-2021-1602

BDU:2021-03178

CVE-2020-14001

DLA-2316-1

DSA-4743-1

GHSA-MQM2-CGPR-P4M6

OESA-2021-1280

OPENSUSE-SU-2022_3259-1

OPENSUSE-SU-2024:11336-1

OPENSUSE-SU-2024:12038-1

OPENSUSE-SU-2024:13161-1

OPENSUSE-SU-2024:14170-1

OPENSUSE-SU-2025:15119-1

OPENSUSE-SU-2026:10352-1

SUSE-SU-2022:3259-1

SUSE-SU-2022_3259-1

USN-4562-1

USN-4562-2

Affected Products

Alt Linux

Linuxmint

Suse

Ubuntu

Kramdown

CVE-2020-14001

Weakness Enumeration

Related Identifiers

Affected Products

References · 47