cbcvebase.
CVE-2022-24803
published 2022-04-01

CVE-2022-24803: Asciidoctor-include-ext is Asciidoctor’s standard include processor reimplemented as an extension. Versions prior to 0.4.0, when used to render user-supplied…

PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.72%
84.2th percentile
Asciidoctor-include-ext is Asciidoctor’s standard include processor reimplemented as an extension. Versions prior to 0.4.0, when used to render user-supplied input in AsciiDoc markup, may allow an attacker to execute arbitrary system commands on the host operating system. This attack is possible even when `allow-uri-read` is disabled! The problem has been patched in the referenced commits.

Affected

4 ranges
VendorProductVersion rangeFixed in
asciidoctor-include-ext_projectasciidoctor-include-ext< 0.4.00.4.0
asciidoctor-include-ext_projectasciidoctor-include-ext>= 0 < 0.4.00.4.0
debianruby-asciidoctor-include-ext< ruby-asciidoctor-include-ext 0.4.0-2 (bookworm)ruby-asciidoctor-include-ext 0.4.0-2 (bookworm)
jirutkaasciidoctor-include-ext< 0.4.00.4.0

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability affects asciidoctor-include-ext versions prior to 0.4.0; monitor for use of this gem in environments that render user-supplied AsciiDoc markup
  • Arbitrary OS command execution is possible even when the `allow-uri-read` Asciidoctor option is disabled; do not rely on that flag as a security control
  • ·The `allow-uri-read` configuration flag does NOT prevent exploitation of this vulnerability; disabling it is insufficient as a mitigation
  • ·Debian Bullseye remains unpatched (open); other Debian releases (bookworm, forky, sid, trixie) are resolved at version 0.4.0-2

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv9.8CRITICAL
vendor_debian10.0CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.