10

CVSS Score

Basic Information

CVE ID

CVE-2022-24803

GHSA ID

GHSA-v222-6mr4-qj29

EPSS Score

CWE

CWE-78

Published

3/31/2022

Updated

5/4/2023

KEV Status

Technology

Ruby

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-24803

CVE-2022-24803:
Command Injection vulnerability in asciidoctor-include-ext

Impact

Applications using Asciidoctor (Ruby) with asciidoctor-include-ext (prior to version 0.4.0), which render user-supplied input in AsciiDoc markup, may allow an attacker to execute arbitrary system commands on the host operating system. ~~This attack is possible even when allow-uri-read is disabled!~~ (EDIT: it’s not)

Patches

The vulnerability has been fixed in commit c7ea001 (and further improved in cbaccf3), which is included in version 0.4.0.

Workarounds

require 'asciidoctor/include_ext'

class Asciidoctor::IncludeExt::IncludeProcessor
  # Overrides superclass private method to mitigate Command Injection
  # vulnerability in asciidoctor-include-ext <0.4.0.
  def target_uri?(target)
    target.downcase.start_with?('http://', 'https://') \
      && URI.parse(target).is_a?(URI::HTTP)
  rescue URI::InvalidURIError
    false
  end
end

References

https://sakurity.com/blog/2015/02/28/openuri.html

Credits

This vulnerability was discovered by Joern Schneeweisz from the GitLab Security Research Team.

For more information

See commit message c7ea001.

If you have any questions or comments about this advisory open an issue in jirutka/asciidoctor-include-ext.

(GitHub Advisory)

10

CVSS Score

Basic Information

CVE ID

CVE-2022-24803

GHSA ID

GHSA-v222-6mr4-qj29

EPSS Score

CWE

CWE-78

Published

3/31/2022

Updated

5/4/2023

KEV Status

Technology

Ruby

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
asciidoctor-include-ext	rubygems	< 0.4.0	0.4.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two key functions: 1) target_uri? failed to properly validate URIs by allowing pipe-based command injection via linebreak bypasses. 2) read_lines directly passed user-controlled input to IO.foreach/URI.open. The patch replaced target_uri? with strict HTTP validation (target_http?) and modified read_lines to use safer URI parsing, confirming these were the vulnerable components.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *ppli**tions usin* [*s*ii*o*tor (Ru*y)](*ttps://*it*u*.*om/*s*ii*o*tor/*s*ii*o*tor) wit* [*s*ii*o*tor-in*lu**-*xt](*ttps://*it*u*.*om/jirutk*/*s*ii*o*tor-in*lu**-*xt) (prior to v*rsion *.*.*), w*i** r*n**r us*r-suppli** input in *s*ii*o*

Reasoning

T** vuln*r**ility st*ms *rom two k*y *un*tions: *) t*r**t_uri? **il** to prop*rly v*li**t* URIs *y *llowin* pip*-**s** *omm*n* inj**tion vi* lin**r**k *yp*ss*s. *) r***_lin*s *ir**tly p*ss** us*r-*ontroll** input to IO.*or****/URI.op*n. T** p*t** r*p

10

Basic Information

Concerned about an active attack path?

CVE-2022-24803: Command Injection vulnerability in asciidoctor-include-ext

Impact

Patches

Workarounds

References

Credits

For more information

10

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2022-24803:
Command Injection vulnerability in asciidoctor-include-ext

Vulnerability Intelligence
Miggo AI