Headline
CVE-2020-14001: Home | kramdown
The kramdown gem before 2.3.0 for Ruby processes the template option inside Kramdown documents by default, which allows unintended read access (such as template="/etc/passwd") or unintended embedded Ruby code execution (such as a string that begins with template="string://<%= `). NOTE: kramdown is used in Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum.
Overview
If you want to get started with kramdown, have a look at the installation page to see how you can install it on your system. Then look through the documentation for finding information about how to actually use kramdown and its parsers/converters. The quick reference provides a overview of the syntax – if you need a more detailed description of the superset of Markdown which kramdown supports the syntax page is the place to go!
Bugs, Forums, Mailing Lists
If you have found a bug, you should report it here. Also, there is the kramdown-users google group available if you have any questions!
Thanks
kramdown would not be possible without the prior work of many other people. I want to thank everyone involved with making Markdown such a nice markup language and especially the developers of other Markdown implementations because kramdown borrowed many ideas from existing packages.
- Thomas Leitner
- e-Mail: [email protected]