CVE-2022-24803 – CVE-2022-24803 is a critical command injection ... (How to Fix)

Q: What is the severity of CVE-2022-24803?

CVE-2022-24803 has a CVSS score of 10.0 (CRITICAL). CVE-2022-24803 is a critical command injection vulnerability in Asciidoctor-include-ext that allows attackers to execute arbitrary system commands when processing untrusted AsciiDoc input. This affects all systems using versions before 0.4.0 to render user-supplied content, even with security features like allow-uri-read disabled.

📋 TL;DR

CVE-2022-24803 is a critical command injection vulnerability in Asciidoctor-include-ext that allows attackers to execute arbitrary system commands when processing untrusted AsciiDoc input. This affects all systems using versions before 0.4.0 to render user-supplied content, even with security features like allow-uri-read disabled.

💻 Affected Systems

Products:

asciidoctor-include-ext

Versions: All versions prior to 0.4.0

Operating Systems: All operating systems where Asciidoctor runs

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerable even with allow-uri-read disabled. Only affects systems processing untrusted AsciiDoc input.

📦 What is this software?

Asciidoctor Include Ext by Asciidoctor Include Ext Project

View all CVEs affecting Asciidoctor Include Ext →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attacker to execute arbitrary commands with the privileges of the Asciidoctor process, potentially leading to data theft, ransomware deployment, or complete host takeover.

🟠

Likely Case

Remote code execution leading to data exfiltration, installation of backdoors, or lateral movement within the network.

🟢

If Mitigated

Limited impact if proper input validation and sandboxing are implemented, though command injection would still be possible.

🌐 Internet-Facing: HIGH - Any internet-facing application processing user-supplied AsciiDoc content is immediately vulnerable to remote exploitation.

🏢 Internal Only: HIGH - Internal applications processing user content are equally vulnerable to authenticated or insider attacks.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires the ability to supply AsciiDoc content for processing. Public proof-of-concept exists in the advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.4.0

Vendor Advisory: https://github.com/jirutka/asciidoctor-include-ext/security/advisories/GHSA-v222-6mr4-qj29

Restart Required: No

Instructions:

1. Update asciidoctor-include-ext to version 0.4.0 or later using your package manager. 2. For Ruby projects: Update Gemfile to specify '~> 0.4.0' and run 'bundle update asciidoctor-include-ext'. 3. Verify no older versions are installed.

🔧 Temporary Workarounds

Disable include processing for untrusted content

all

Configure Asciidoctor to not process include directives when handling user-supplied input

Set safe mode to at least SAFE or higher when processing untrusted content

Input sanitization

all

Strip or escape include directives from user input before processing

Use regex to remove include:: directives: content.gsub(/include::.*?\[\]/m, '')

🧯 If You Can't Patch

Isolate the vulnerable system in a network segment with strict egress filtering
Implement application-level allowlisting of trusted include sources only

🔍 How to Verify

Check if Vulnerable:

Check the installed version of asciidoctor-include-ext. If version is < 0.4.0 and you process untrusted AsciiDoc content, you are vulnerable.

Check Version:

gem list asciidoctor-include-ext | grep asciidoctor-include-ext

Verify Fix Applied:

Verify asciidoctor-include-ext version is 0.4.0 or higher using 'gem list asciidoctor-include-ext' or check package manager.

📡 Detection & Monitoring

Log Indicators:

Unusual system command execution from Asciidoctor process
Include directives with suspicious paths or shell commands
Failed include attempts with command-like syntax

Network Indicators:

Outbound connections from Asciidoctor process to unexpected destinations
Command and control traffic patterns

SIEM Query:

process.name:"ruby" AND process.args:"asciidoctor" AND process.args:"include::" AND process.args:"$"

📊 Metadata

CVE ID: CVE-2022-24803

CVSS v3 Score: 10.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-78

Published: April 1, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/jirutka/asciidoctor-include-ext/commit/c7ea001a597c7033575342c51483dab7b87ae155 Exploit,Patch,Third Party Advisory
https://github.com/jirutka/asciidoctor-include-ext/commit/cbaccf3de533cbca224bf61d0b74e4b84d41d8ee Patch,Third Party Advisory
https://github.com/jirutka/asciidoctor-include-ext/security/advisories/GHSA-v222-6mr4-qj29 Third Party Advisory
https://github.com/jirutka/asciidoctor-include-ext/commit/c7ea001a597c7033575342c51483dab7b87ae155 Exploit,Patch,Third Party Advisory
https://github.com/jirutka/asciidoctor-include-ext/commit/cbaccf3de533cbca224bf61d0b74e4b84d41d8ee Patch,Third Party Advisory
https://github.com/jirutka/asciidoctor-include-ext/security/advisories/GHSA-v222-6mr4-qj29 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-24803, you might also want to check these: