CVE-2022-24803
published 2022-04-01CVE-2022-24803: Asciidoctor-include-ext is Asciidoctor’s standard include processor reimplemented as an extension. Versions prior to 0.4.0, when used to render user-supplied…
PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.72%
84.2th percentile
Asciidoctor-include-ext is Asciidoctor’s standard include processor reimplemented as an extension. Versions prior to 0.4.0, when used to render user-supplied input in AsciiDoc markup, may allow an attacker to execute arbitrary system commands on the host operating system. This attack is possible even when `allow-uri-read` is disabled! The problem has been patched in the referenced commits.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| asciidoctor-include-ext_project | asciidoctor-include-ext | < 0.4.0 | 0.4.0 |
| asciidoctor-include-ext_project | asciidoctor-include-ext | >= 0 < 0.4.0 | 0.4.0 |
| debian | ruby-asciidoctor-include-ext | < ruby-asciidoctor-include-ext 0.4.0-2 (bookworm) | ruby-asciidoctor-include-ext 0.4.0-2 (bookworm) |
| jirutka | asciidoctor-include-ext | < 0.4.0 | 0.4.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability affects asciidoctor-include-ext versions prior to 0.4.0; monitor for use of this gem in environments that render user-supplied AsciiDoc markup ↗
- →Arbitrary OS command execution is possible even when the `allow-uri-read` Asciidoctor option is disabled; do not rely on that flag as a security control ↗
- ·The `allow-uri-read` configuration flag does NOT prevent exploitation of this vulnerability; disabling it is insufficient as a mitigation ↗
- ·Debian Bullseye remains unpatched (open); other Debian releases (bookworm, forky, sid, trixie) are resolved at version 0.4.0-2 ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv9.8CRITICAL
vendor_debian10.0CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2022-24803: Asciidoctor-include-ext is Asciidoctor’s standard include processor reimplemented as an extension
osv·2022-04-01·CVSS 9.8
CVE-2022-24803 [CRITICAL] CVE-2022-24803: Asciidoctor-include-ext is Asciidoctor’s standard include processor reimplemented as an extension
Asciidoctor-include-ext is Asciidoctor’s standard include processor reimplemented as an extension. Versions prior to 0.4.0, when used to render user-supplied input in AsciiDoc markup, may allow an attacker to execute arbitrary system commands on the host operating system. This attack is possible even when `allow-uri-read` is disabled! The problem has been patched in the referenced commits.
OSV
Command Injection vulnerability in asciidoctor-include-ext
osv·2022-03-31
CVE-2022-24803 [CRITICAL] Command Injection vulnerability in asciidoctor-include-ext
Command Injection vulnerability in asciidoctor-include-ext
### Impact
Applications using [Asciidoctor (Ruby)](https://github.com/asciidoctor/asciidoctor) with [asciidoctor-include-ext](https://github.com/jirutka/asciidoctor-include-ext) (prior to version 0.4.0), which render user-supplied input in AsciiDoc markup, may allow an attacker to execute arbitrary system commands on the host operating system. ~~This attack is possible even when `allow-uri-read` is disabled!~~ (EDIT: it’s not)
### Patches
The vulnerability has been fixed in commit c7ea001 (and further improved in cbaccf3), which is included in version [0.4.0](https://rubygems.org/gems/asciidoctor-include-ext/versions/0.4.0).
### Workarounds
```rb
require 'asciidoctor/include_ext'
class Asciidoctor::IncludeExt::IncludeProces
GHSA
Command Injection vulnerability in asciidoctor-include-ext
ghsa·2022-03-31
CVE-2022-24803 [CRITICAL] CWE-78 Command Injection vulnerability in asciidoctor-include-ext
Command Injection vulnerability in asciidoctor-include-ext
### Impact
Applications using [Asciidoctor (Ruby)](https://github.com/asciidoctor/asciidoctor) with [asciidoctor-include-ext](https://github.com/jirutka/asciidoctor-include-ext) (prior to version 0.4.0), which render user-supplied input in AsciiDoc markup, may allow an attacker to execute arbitrary system commands on the host operating system. ~~This attack is possible even when `allow-uri-read` is disabled!~~ (EDIT: it’s not)
### Patches
The vulnerability has been fixed in commit c7ea001 (and further improved in cbaccf3), which is included in version [0.4.0](https://rubygems.org/gems/asciidoctor-include-ext/versions/0.4.0).
### Workarounds
```rb
require 'asciidoctor/include_ext'
class Asciidoctor::IncludeExt::IncludeProces
Debian
CVE-2022-24803: ruby-asciidoctor-include-ext - Asciidoctor-include-ext is Asciidoctor’s standard include processor reimplemente...
vendor_debian·2022·CVSS 10.0
CVE-2022-24803 [CRITICAL] CVE-2022-24803: ruby-asciidoctor-include-ext - Asciidoctor-include-ext is Asciidoctor’s standard include processor reimplemente...
Asciidoctor-include-ext is Asciidoctor’s standard include processor reimplemented as an extension. Versions prior to 0.4.0, when used to render user-supplied input in AsciiDoc markup, may allow an attacker to execute arbitrary system commands on the host operating system. This attack is possible even when `allow-uri-read` is disabled! The problem has been patched in the referenced commits.
Scope: local
bookworm: resolved (fixed in 0.4.0-2)
bullseye: open
forky: resolved (fixed in 0.4.0-2)
sid: resolved (fixed in 0.4.0-2)
trixie: resolved (fixed in 0.4.0-2)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/jirutka/asciidoctor-include-ext/commit/c7ea001a597c7033575342c51483dab7b87ae155https://github.com/jirutka/asciidoctor-include-ext/commit/cbaccf3de533cbca224bf61d0b74e4b84d41d8eehttps://github.com/jirutka/asciidoctor-include-ext/security/advisories/GHSA-v222-6mr4-qj29https://github.com/jirutka/asciidoctor-include-ext/commit/c7ea001a597c7033575342c51483dab7b87ae155https://github.com/jirutka/asciidoctor-include-ext/commit/cbaccf3de533cbca224bf61d0b74e4b84d41d8eehttps://github.com/jirutka/asciidoctor-include-ext/security/advisories/GHSA-v222-6mr4-qj29
2022-04-01
Published