rebber@2.0.1 vulnerabilities

Stringifies MDAST to LaTeX

Direct Vulnerabilities

Known vulnerabilities in the rebber package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • C
Command Injection

rebber is a package that Stringifies MDAST to LaTeX.

Affected versions of this package are vulnerable to Command Injection. The reported problem came from CodeBlocks, which could be escaped to insert malicious LaTeX. Anyone using rebber without sanitization of code content or a custom macro is impacted by this vulnerability.

PoC

```
\end{CodeBlock}

% Will insert into the generated LaTeX the result of executing `COMMAND` on the system.
\immediate\write18{COMMAND > outputrce}
\input{outputrce}

\begin{CodeBlock}{text}
```

How to fix Command Injection?

Upgrade rebber to version 5.2.1 or higher.

<5.2.1