asciidoctor-include-ext 0.2.0

1 security vulnerability found in version 0.2.0

Command Injection vulnerability in asciidoctor-include-ext

critical severity CVE-2022-24803
Patched versions: >= 0.4.0


Applications using Asciidoctor (Ruby) with asciidoctor-include-ext (prior to version 0.4.0), which render user-supplied input in AsciiDoc markup, may allow an attacker to execute arbitrary system commands on the host operating system. This attack is possible even when allow-uri-read is disabled!


The vulnerability has been fixed in commit c7ea001 (and further improved in cbaccf3), which is included in version 0.4.0.


require 'asciidoctor/include_ext'

class Asciidoctor::IncludeExt::IncludeProcessor
  # Overrides superclass private method to mitigate Command Injection
  # vulnerability in asciidoctor-include-ext <0.4.0.
  def target_uri?(target)
    target.downcase.start_with?('http://', 'https://') \
      && URI.parse(target).is_a?(URI::HTTP)
  rescue URI::InvalidURIError


No officially reported memory leakage issues detected.

This gem version does not have any officially reported memory leaked issues.

No license issues detected.

This gem version has a license in the gemspec.

This gem version is available.

This gem version has not been yanked and is still available for usage.