Skip to content

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in ZMarkdown

Critical severity GitHub Reviewed Published Aug 31, 2021 in zestedesavoir/zmarkdown • Updated Apr 29, 2024

Package

npm rebber (npm)

Affected versions

< 5.2.1

Patched versions

5.2.1

Description

Impact

A Remote Command Execution vulnerability was found in the rebber module,
which allowed execution of arbitrary commands. The reported problem came
from CodeBlocks, which could be escaped to insert malicious LaTeX.

Anyone using rebber without sanitation of code content or a custom
macro is impacted by this vulnerability. Here is an example of a Markdown
content that will exploit the vulnerability:

```
\end{CodeBlock}

\immediate\write18{COMMAND > outputrce}
\input{outputrce}

\begin{CodeBlock}{text}
```

Will insert into the generated LaTeX the result of executing
COMMAND on the system.

Patches

The vulnerability has been patched in version 5.2.1.
If impacted, you should update to this version as soon as possible.

Workarounds

It is possible to mitigate the vulnerability without upgrading by using a
custom code macro. Please make sure this custom macro escapes your
closing LaTeX sequence. For the example above, use:

const escaped = content.replace(new RegExp('\\\\end\\s*{CodeBlock}', 'g'), '')

For more information

If you have any questions or comments about this advisory, open an issue in ZMarkdown.

References

@StaloneLab StaloneLab published to zestedesavoir/zmarkdown Aug 31, 2021
Reviewed Sep 7, 2021
Published to the GitHub Advisory Database Sep 7, 2021
Last updated Apr 29, 2024

Severity

Critical

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-2c83-wfv3-q25f

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.