Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1tcTZ2LXczNWctM2M5N84AA5C1
Local File Inclusion vulnerability in zmarkdown
Impact
A minor Local File Inclusion vulnerability has been found in
zmarkdown, which allowed for images with a known path on
the host machine to be included inside a LaTeX document.
To prevent it, a new option has been created that allow to replace
invalid paths with a default image instead of linking the image on the
host directly. zmarkdown has been updated to make this setting the
default.
Every user of zmarkdown is likely impacted, except if
disabling LaTeX generation or images download. Here
is an example of including an image from an invalid path:
Will effectively redownload and include the image
found at /tmp/img.png.
Patches
The vulnerability has been patched in version 10.1.3.
If impacted, you should update to this version as soon as possible.
Workarounds
Disable images downloading, or sanitize paths.
For more information
If you have any questions or comments about this advisory, open an issue in ZMarkdown.
Permalink: https://github.com/advisories/GHSA-mq6v-w35g-3c97JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tcTZ2LXczNWctM2M5N84AA5C1
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 10 months ago
Updated: 6 months ago
Identifiers: GHSA-mq6v-w35g-3c97
References:
- https://github.com/zestedesavoir/zmarkdown/security/advisories/GHSA-mq6v-w35g-3c97
- https://github.com/advisories/GHSA-mq6v-w35g-3c97
Blast Radius: 0.0
Affected Packages
npm:zmarkdown
Dependent packages: 2Dependent repositories: 9
Downloads: 377 last month
Affected Version Ranges: < 10.1.3
Fixed in: 10.1.3
All affected versions: 0.0.5, 0.0.6, 0.0.7, 0.0.8, 0.0.9, 0.0.10, 0.0.11, 0.0.12, 0.0.14, 0.0.15, 0.0.16, 0.0.17, 0.0.18, 0.0.19, 0.0.20, 0.0.21, 0.0.22, 0.0.23, 0.0.24, 0.0.26, 0.0.27, 0.0.28, 0.0.29, 0.0.30, 0.0.31, 0.0.32, 0.0.33, 0.0.34, 0.0.35, 0.0.36, 0.0.37, 0.0.38, 0.0.39, 0.0.40, 0.0.41, 0.0.42, 0.0.43, 0.0.44, 0.0.45, 0.0.46, 0.0.47, 0.0.48, 0.0.49, 0.0.50, 0.0.51, 0.0.52, 0.0.53, 0.0.54, 0.0.55, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.1.0, 3.2.0, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.2.0, 5.3.0, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.3.5, 5.4.0, 5.4.1, 5.4.2, 5.4.3, 5.4.4, 5.4.5, 5.4.7, 5.4.8, 5.4.9, 5.5.0, 5.6.0, 5.7.0, 5.8.0, 5.8.1, 5.8.2, 5.9.0, 5.9.1, 5.9.2, 5.9.3, 5.9.4, 5.10.0, 5.11.0, 5.12.0, 5.12.1, 5.12.2, 5.12.3, 5.12.4, 5.13.0, 5.14.0, 5.14.1, 5.15.0, 5.15.1, 6.0.0, 6.1.0, 7.0.2, 8.0.0, 8.1.0, 8.2.0, 8.3.0, 9.0.0, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 10.0.0, 10.0.1, 10.0.2, 10.1.0, 10.1.1, 10.1.2
All unaffected versions: 10.1.3, 11.0.0, 11.0.1, 11.0.2, 11.1.0, 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.3.0, 11.4.0, 11.4.1, 11.4.2, 11.4.3, 12.0.0