CVE-2023-24824

EUVD-2023-28818

31.03.2023, 23:15

cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. A polynomial time complexity issue in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. This CVE covers quadratic complexity issues when parsing text which leads with either large numbers of `>` or `-` characters. This issue has been addressed in version 0.29.0.gfm.10. Users are advised to upgrade. Users unable to upgrade should validate that their input comes from trusted sources.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
GitHub_M	CNA	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Base Score

CVSS 3.x

EPSS Score

Percentile: 53%

Affected Products (NVD)

Vendor	Product	Version
github	cmark-gfm	𝑥 < 0.29.0.gfm.10.

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

cmark-gfm

bookworm	ignored
bullseye	no-dsa
buster	no-dsa
sid	vulnerable
trixie	vulnerable

python-cmarkgfm

bookworm	ignored
bullseye	no-dsa
buster	no-dsa
sid	vulnerable
trixie	vulnerable

r-cran-commonmark

bookworm	ignored
bullseye	no-dsa
buster	no-dsa
sid	1.9.2-2 fixed
trixie	1.9.2-2 fixed

ruby-commonmarker

bookworm	ignored
bullseye	no-dsa
buster	no-dsa
sid	vulnerable
trixie	vulnerable

Ubuntu Releases

Ubuntu Product

Codename

cmark

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
kinetic	ignored
lunar	ignored
mantic	ignored
noble	needs-triage
oracular	needs-triage
trusty	ignored
xenial	ignored

cmark-gfm

bionic	dne
focal	needs-triage
jammy	needs-triage
kinetic	ignored
lunar	ignored
mantic	ignored
noble	needs-triage
oracular	needs-triage
trusty	ignored
xenial	ignored

Known Exploits!

Common Weakness Enumeration

CWE-400 - Uncontrolled Resource Consumption
The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

References

https://github.com/github/cmark-gfm/commit/2300c1bd2c8226108885bf019655c4159cf26b59

https://github.com/github/cmark-gfm/security/advisories/GHSA-66g8-4hjf-77xh

https://github.com/github/cmark-gfm/commit/2300c1bd2c8226108885bf019655c4159cf26b59

https://github.com/github/cmark-gfm/security/advisories/GHSA-66g8-4hjf-77xh