Vulnerability-Lookup

GHSA-2C83-WFV3-Q25F

Vulnerability from github – Published: 2021-09-07 23:07 – Updated: 2021-09-07 14:04

Summary

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in ZMarkdown

Details

Impact

A Remote Command Execution vulnerability was found in the rebber module, which allowed execution of arbitrary commands. The reported problem came from CodeBlocks, which could be escaped to insert malicious LaTeX.

Anyone using rebber without sanitation of code content or a custom macro is impacted by this vulnerability. Here is an example of a Markdown content that will exploit the vulnerability:

```
\end{CodeBlock}

\immediate\write18{COMMAND > outputrce}
\input{outputrce}

\begin{CodeBlock}{text}
```

Will insert into the generated LaTeX the result of executing COMMAND on the system.

Patches

The vulnerability has been patched in version 5.2.1. If impacted, you should update to this version as soon as possible.

Workarounds

It is possible to mitigate the vulnerability without upgrading by using a custom code macro. Please make sure this custom macro escapes your closing LaTeX sequence. For the example above, use:

const escaped = content.replace(new RegExp('\\\\end\\s*{CodeBlock}', 'g'), '')

For more information

If you have any questions or comments about this advisory, open an issue in ZMarkdown.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "rebber"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-78"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-09-07T14:04:47Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nA Remote Command Execution vulnerability was found in the rebber module,\nwhich allowed execution of arbitrary commands. The reported problem came\nfrom CodeBlocks, which could be escaped to insert malicious LaTeX.\n\nAnyone using `rebber` without sanitation of code content or a custom\nmacro is impacted by this vulnerability. Here is an example of a Markdown\ncontent that will exploit the vulnerability:\n\n````markdown\n```\n\\end{CodeBlock}\n\n\\immediate\\write18{COMMAND \u003e outputrce}\n\\input{outputrce}\n\n\\begin{CodeBlock}{text}\n```\n````\n\nWill insert into the generated LaTeX the result of executing\n`COMMAND` on the system.\n\n### Patches\n\nThe vulnerability has been patched in version 5.2.1.\nIf impacted, you should update to this version as soon as possible.\n\n### Workarounds\n\nIt is possible to mitigate the vulnerability without upgrading by using a\ncustom code macro. Please make sure this custom macro escapes your\nclosing LaTeX sequence. For the example above, use:\n\n```javascript\nconst escaped = content.replace(new RegExp(\u0027\\\\\\\\end\\\\s*{CodeBlock}\u0027, \u0027g\u0027), \u0027\u0027)\n```\n\n### For more information\n\nIf you have any questions or comments about this advisory, open an issue in [ZMarkdown](https://github.com/zestedesavoir/zmarkdown/issues).",
  "id": "GHSA-2c83-wfv3-q25f",
  "modified": "2021-09-07T14:04:47Z",
  "published": "2021-09-07T23:07:56Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/zestedesavoir/zmarkdown/security/advisories/GHSA-2c83-wfv3-q25f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/zestedesavoir/zmarkdown"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027) in ZMarkdown"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted