CVE-2021-28834 log

Source
Severity Medium
Remote No
Type Insufficient validation
Description
Kramdown before 2.3.1 does not restrict Rouge formatters to the Rouge::Formatters namespace, and thus arbitrary classes can be instantiated.
Group Package Affected Fixed Severity Status Ticket
AVG-1709 ruby-kramdown 2.3.0-1 2.3.1-1 Medium Fixed
References
https://github.com/gettalong/kramdown/pull/708
https://github.com/gettalong/kramdown/commit/d6a1cbcb2caa2f8a70927f176070d126b2422760