rebber@2.2.5 vulnerabilities

Stringifies MDAST to LaTeX

  • latest version

    5.5.0

  • latest non vulnerable version

  • first published

    7 years ago

  • latest version published

    7 months ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the rebber package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • C
    Command Injection

    rebber is a package that Stringifies MDAST to LaTeX.

    Affected versions of this package are vulnerable to Command Injection. The reported problem came from CodeBlocks, which could be escaped to insert malicious LaTeX. Anyone using rebber without sanitization of code content or a custom macro is impacted by this vulnerability.

    PoC

    ```
    \end{CodeBlock}
    
    % Will insert into the generated LaTeX the result of executing `COMMAND` on the system.
    \immediate\write18{COMMAND > outputrce}
    \input{outputrce}
    
    \begin{CodeBlock}{text}
    ```
    

    How to fix Command Injection?

    Upgrade rebber to version 5.2.1 or higher.

    <5.2.1