CVE-2022-24803

Name of the Vulnerable Software and Affected Versions Asciidoctor-include-ext versions prior to 0.4.0

Description The issue allows an attacker to execute arbitrary system commands on the host operating system when used to render user-supplied input in AsciiDoc markup. This attack is possible even when allow-uri-read is disabled.

Recommendations For versions prior to 0.4.0, update to version 0.4.0 or later to resolve the issue. As a temporary workaround, consider applying the provided patch to the target uri? method in the Asciidoctor::IncludeExt::IncludeProcessor class to mitigate the command injection vulnerability.