CVE-2020-26298
Published: 11 January 2021
Redcarpet is a Ruby library for Markdown processing. In Redcarpet before version 3.5.1, there is an injection vulnerability which can enable a cross-site scripting attack. In affected versions no HTML escaping was being performed when processing quotes. This applies even when the `:escape_html` option was being used. This is fixed in version 3.5.1 by the referenced commit.
Priority
Medium
CVSS 3 base score: 5.4
Status
| Package | Release | Status |
|---|---|---|
|
rudy-redcarpet Launchpad, Ubuntu, Debian |
Upstream |
Needs triage
|
| Ubuntu 21.04 (Hirsute Hippo) |
Does not exist
|
|
| Ubuntu 20.10 (Groovy Gorilla) |
Does not exist
|
|
| Ubuntu 20.04 LTS (Focal Fossa) |
Does not exist
|
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Does not exist
|
|
| Ubuntu 16.04 LTS (Xenial Xerus) |
Does not exist
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
|
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26298
- https://github.com/advisories/GHSA-q3wr-qw3g-3p4h
- https://github.com/vmg/redcarpet/blob/master/CHANGELOG.md#version-351-security
- https://github.com/vmg/redcarpet/commit/a699c82292b17c8e6a62e1914d5eccc252272793
- https://rubygems.org/gems/redcarpet
- NVD
- Launchpad
- Debian