Markdownify 1.4.1 - RCE
8,6
High
Discovered by
Offensive Team, Fluid Attacks
Summary
Full name
Markdownify 1.4.1 - RCE
Code name
State
Public
Release date
14 de out. de 2022
Affected product
Markdownify
Affected version(s)
Version 1.4.1
Vulnerability name
Remote Command Execution
Vulnerability type
Remotely exploitable
Yes
CVSS v3.1 vector string
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CVSS v3.1 base score
8.6
Exploit available
Yes
CVE ID(s)
Description
Markdownify version 1.4.1 allows an external attacker to execute arbitrary code remotely on any client attempting to view a malicious markdown file through Markdownify. This is possible because the application has the "nodeIntegration" option enabled.
Vulnerability
This vulnerability occurs because the application has the "nodeIntegration" option enabled. Due to the above, an attacker can embed malicious JS code in a markdown file and send it to the victim for viewing to achieve an RCE.
Exploitation
To exploit this vulnerability, the following file must be sent to a user to be opened with Markdownify.
exploit.md
Evidence of exploitation
Our security policy
We have reserved the CVE-2022-41709 to refer to this issue from now on. Disclosure policy
System Information
Version: Markdownify 1.4.1
Operating System: GNU/Linux
Mitigation
There is currently no patch available for this vulnerability.
References
Timeline
Vulnerability discovered
23 de set. de 2022
Vendor contacted
23 de set. de 2022
Vendor replied
23 de set. de 2022
Vendor confirmed
23 de set. de 2022
Public disclosure
14 de out. de 2022
