Command Injection Affecting rebber package, versions <5.2.1
Threat Intelligence
Exploit Maturity
Proof of concept
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-REBBER-1583439
- published 8 Sep 2021
- disclosed 7 Sep 2021
- credit Unknown
How to fix?
Upgrade rebber
to version 5.2.1 or higher.
Overview
rebber is a package that Stringifies MDAST to LaTeX.
Affected versions of this package are vulnerable to Command Injection. The reported problem came from CodeBlocks, which could be escaped to insert malicious LaTeX. Anyone using rebber
without sanitization of code content or a custom macro is impacted by this vulnerability.
PoC
```
\end{CodeBlock}
% Will insert into the generated LaTeX the result of executing COMMAND
on the system.
\immediate\write18{COMMAND > outputrce}
\input{outputrce}
\begin{CodeBlock}{text}
</code></pre>
References
CVSS Scores
version 3.1