CVE-2022-24803.yml

---
gem: asciidoctor-include-ext
cve: 2022-24803
ghsa: v222-6mr4-qj29
url: https://github.com/jirutka/asciidoctor-include-ext/security/advisories/GHSA-v222-6mr4-qj29
title: Command Injection vulnerability in asciidoctor-include-ext
date: 2022-03-31
description: |
  ### Impact

  Applications using [Asciidoctor (Ruby)](https://github.com/asciidoctor/asciidoctor)
  with [asciidoctor-include-ext](https://github.com/jirutka/asciidoctor-include-ext)
  (prior to version 0.4.0), which render user-supplied input in AsciiDoc markup, may
  allow an attacker to execute arbitrary system commands on the host operating system.
  This attack is possible even when `allow-uri-read` is disabled!

  ### Patches

  The vulnerability has been fixed in commit c7ea001 (and further improved in cbaccf3),
  which is included in version
  [0.4.0](https://rubygems.org/gems/asciidoctor-include-ext/versions/0.4.0).

  ### Workarounds

  ```rb
  require 'asciidoctor/include_ext'

  class Asciidoctor::IncludeExt::IncludeProcessor
    # Overrides superclass private method to mitigate Command Injection
    # vulnerability in asciidoctor-include-ext <0.4.0.
    def target_uri?(target)
      target.downcase.start_with?('http://', 'https://') \
        && URI.parse(target).is_a?(URI::HTTP)
    rescue URI::InvalidURIError
      false
    end
  end
  ```

  ### References

  * https://sakurity.com/blog/2015/02/28/openuri.html
cvss_v3: 10.0
patched_versions:
  - ">= 0.4.0"
related:
  url:
    - https://github.com/jirutka/asciidoctor-include-ext/commit/c7ea001a597c7033575342c51483dab7b87ae155
    - https://github.com/jirutka/asciidoctor-include-ext/commit/cbaccf3de533cbca224bf61d0b74e4b84d41d8ee