CVE-2022-24803
Description
Asciidoctor-include-ext is Asciidoctors standard include processor reimplemented as an extension. Versions prior to 0.4.0, when used to render user-supplied input in AsciiDoc markup, may allow an attacker to execute arbitrary system commands on the host operating system. This attack is possible even when allow-uri-read is disabled! The problem has been patched in the referenced commits.
Risk Information
Base Score
9.8
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
Exploitation Probability
1.383
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Vulnerabilities CVE-2022-24803 are fixed in Ruby-asciidoctor-include-ext 0.4.0 | Windows |
| Vulnerabilities CVE-2022-24803 are fixed in Ruby-asciidoctor-include-ext for Linux 0.4.0 | Linux |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234