CVE-2020-14001 – The kramdown gem before version 2.3.0 for Ruby ... (How to Fix)

📋 TL;DR

The kramdown gem before version 2.3.0 for Ruby processes template options inside Kramdown documents by default, allowing attackers to read arbitrary files or execute embedded Ruby code. This affects all applications using vulnerable kramdown versions, including Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum.

💻 Affected Systems

Products:

kramdown
Jekyll
GitLab Pages
GitHub Pages
Thredded Forum

Versions: All versions before 2.3.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerable by default when processing untrusted Kramdown input. Applications using kramdown for markdown processing are affected.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Unauthorized file access exposing sensitive configuration files, credentials, or user data.

🟢

If Mitigated

Limited impact with proper input validation and sandboxing in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires ability to submit Kramdown content for processing. Public proof-of-concept demonstrates file read and code execution.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.3.0

Vendor Advisory: https://kramdown.gettalong.org/news.html

Restart Required: No

Instructions:

1. Update kramdown gem: gem update kramdown
2. Verify version: gem list kramdown
3. Update Gemfile to specify 'kramdown', '>= 2.3.0'
4. Run bundle update kramdown if using Bundler

🔧 Temporary Workarounds

Disable template processing

all

Configure kramdown to disable template option processing

Set Kramdown::Document.new(input, template: false) in code

Input sanitization

all

Strip or reject Kramdown input containing template= patterns

Use regex: input.gsub(/template\s*=\s*["'][^"']*["']/, '')

🧯 If You Can't Patch

Implement strict input validation to reject Kramdown containing template= patterns
Run kramdown in isolated sandbox/container with minimal permissions

🔍 How to Verify

Check if Vulnerable:

Check kramdown version: gem list | grep kramdown or bundle show kramdown

Check Version:

gem list kramdown | grep -o 'kramdown ([^)]*)'

Verify Fix Applied:

Confirm version is 2.3.0 or higher: kramdown --version

📡 Detection & Monitoring

Log Indicators:

Kramdown processing errors
Unexpected file read attempts
Ruby code execution in kramdown context

Network Indicators:

HTTP requests with Kramdown content containing template= patterns

SIEM Query:

source="application" AND ("template=" OR "kramdown" AND error)

📊 Metadata

CVE ID: CVE-2020-14001

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-862

Published: July 17, 2020

Last Updated: November 21, 2024

🔗 References

https://github.com/gettalong/kramdown Third Party Advisory
https://github.com/gettalong/kramdown/commit/1b8fd33c3120bfc6e5164b449e2c2fc9c9306fde Patch,Third Party Advisory
https://github.com/gettalong/kramdown/compare/REL_2_2_1...REL_2_3_0 Patch,Third Party Advisory
https://kramdown.gettalong.org Vendor Advisory
https://kramdown.gettalong.org/news.html Release Notes,Vendor Advisory
https://lists.apache.org/thread.html/r96df7899fbb456fe2705882f710a0c8e8614b573fbffd8d12e3f54d2%40%3Cnotifications.fluo.apache.org%3E
https://lists.debian.org/debian-lts-announce/2020/08/msg00014.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ENMMGKHRQIZ3QKGOMBBBGB6B4LB5I7NQ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KBLTGBYU7NKOUOHDKVCU4GFZMGA6BP4L/
https://rubygems.org/gems/kramdown Third Party Advisory
https://security.netapp.com/advisory/ntap-20200731-0004/ Third Party Advisory
https://usn.ubuntu.com/4562-1/ Third Party Advisory
https://www.debian.org/security/2020/dsa-4743 Third Party Advisory
https://github.com/gettalong/kramdown Third Party Advisory
https://github.com/gettalong/kramdown/commit/1b8fd33c3120bfc6e5164b449e2c2fc9c9306fde Patch,Third Party Advisory
https://github.com/gettalong/kramdown/compare/REL_2_2_1...REL_2_3_0 Patch,Third Party Advisory
https://kramdown.gettalong.org Vendor Advisory
https://kramdown.gettalong.org/news.html Release Notes,Vendor Advisory
https://lists.apache.org/thread.html/r96df7899fbb456fe2705882f710a0c8e8614b573fbffd8d12e3f54d2%40%3Cnotifications.fluo.apache.org%3E
https://lists.debian.org/debian-lts-announce/2020/08/msg00014.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ENMMGKHRQIZ3QKGOMBBBGB6B4LB5I7NQ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KBLTGBYU7NKOUOHDKVCU4GFZMGA6BP4L/
https://rubygems.org/gems/kramdown Third Party Advisory
https://security.netapp.com/advisory/ntap-20200731-0004/ Third Party Advisory
https://usn.ubuntu.com/4562-1/ Third Party Advisory
https://www.debian.org/security/2020/dsa-4743 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-14001, you might also want to check these: