CVE-2021-28834 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2021-28834 Interim 1 21 2023-08-28T23:41:54Z current 2021-05-30T14:49:16Z 2023-08-28T23:41:54Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2021-28834 Kramdown before 2.3.1 does not restrict Rouge formatters to the Rouge::Formatters namespace, and thus arbitrary classes can be instantiated. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Linux Enterprise High Availability Extension 15 SUSE Linux Enterprise High Availability Extension 15 SP1 SUSE Linux Enterprise High Availability Extension 15 SP2 SUSE Linux Enterprise High Availability Extension 15 SP3 SUSE Linux Enterprise High Availability Extension 15 SP4 openSUSE Tumbleweed ruby2.5-rubygem-kramdown ruby2.7-rubygem-kramdown-2.3.1-1.3 ruby3.0-rubygem-kramdown-2.3.1-1.3 ruby3.1-rubygem-kramdown-2.4.0-1.1 ruby3.2-rubygem-kramdown-2.4.0-1.8 rubygem-kramdown ruby2.7-rubygem-kramdown-2.3.1-1.3 as a component of openSUSE Tumbleweed ruby3.0-rubygem-kramdown-2.3.1-1.3 as a component of openSUSE Tumbleweed ruby3.1-rubygem-kramdown-2.4.0-1.1 as a component of openSUSE Tumbleweed ruby3.2-rubygem-kramdown-2.4.0-1.8 as a component of openSUSE Tumbleweed ruby2.5-rubygem-kramdown as a component of SUSE Linux Enterprise High Availability Extension 15 rubygem-kramdown as a component of SUSE Linux Enterprise High Availability Extension 15 ruby2.5-rubygem-kramdown as a component of SUSE Linux Enterprise High Availability Extension 15 SP1 rubygem-kramdown as a component of SUSE Linux Enterprise High Availability Extension 15 SP1 ruby2.5-rubygem-kramdown as a component of SUSE Linux Enterprise High Availability Extension 15 SP2 rubygem-kramdown as a component of SUSE Linux Enterprise High Availability Extension 15 SP2 ruby2.5-rubygem-kramdown as a component of SUSE Linux Enterprise High Availability Extension 15 SP3 rubygem-kramdown as a component of SUSE Linux Enterprise High Availability Extension 15 SP3 ruby2.5-rubygem-kramdown as a component of SUSE Linux Enterprise High Availability Extension 15 SP4 rubygem-kramdown as a component of SUSE Linux Enterprise High Availability Extension 15 SP4 Kramdown before 2.3.1 does not restrict Rouge formatters to the Rouge::Formatters namespace, and thus arbitrary classes can be instantiated. CVE-2021-28834 openSUSE Tumbleweed:ruby2.7-rubygem-kramdown-2.3.1-1.3 openSUSE Tumbleweed:ruby3.0-rubygem-kramdown-2.3.1-1.3 openSUSE Tumbleweed:ruby3.1-rubygem-kramdown-2.4.0-1.1 openSUSE Tumbleweed:ruby3.2-rubygem-kramdown-2.4.0-1.8 SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-kramdown SUSE Linux Enterprise High Availability Extension 15 SP1:rubygem-kramdown SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-kramdown SUSE Linux Enterprise High Availability Extension 15 SP2:rubygem-kramdown SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-kramdown SUSE Linux Enterprise High Availability Extension 15 SP3:rubygem-kramdown SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-kramdown SUSE Linux Enterprise High Availability Extension 15 SP4:rubygem-kramdown SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-kramdown SUSE Linux Enterprise High Availability Extension 15:rubygem-kramdown critical 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H