CVE-2023-32309

Name of the Vulnerable Software and Affected Versions PyMdown Extensions versions prior to 10.0

Description The issue allows for an arbitrary file read when using include file syntax. By using the syntax --8<--"/etc/passwd" or --8<--"/proc/self/environ", the content of these files will be rendered in the generated documentation. A path relative to a specified, allowed base path can also be used to render the content of a file outside the specified base paths, such as --8<-- "../../../../etc/passwd". Within the Snippets extension, there exists a base path option but the implementation is vulnerable to Directory Traversal. The vulnerable section exists in get snippet path(self, path) lines 155 to 174 in snippets.py. Any readable file on the host where the plugin is executing may have its content exposed, impacting any use of Snippets that exposes the use of Snippets to external users.

Recommendations For versions prior to 10.0, upgrade to version 10.0 to resolve the issue. As a temporary workaround for users unable to upgrade, restrict relative paths by filtering input.