CVE-2023-24824

31.03.2023, 23:15

cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. A polynomial time complexity issue in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. This CVE covers quadratic complexity issues when parsing text which leads with either large numbers of `>` or `-` characters. This issue has been addressed in version 0.29.0.gfm.10. Users are advised to upgrade. Users unable to upgrade should validate that their input comes from trusted sources.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
GitHub_M	CNA	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 63%

Vendor	Product	Version
github	cmark-gfm	𝑥 < 0.29.0.gfm.10.

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

cmark-gfm

bullseye	no-dsa
bookworm	ignored
buster	no-dsa
trixie	vulnerable
sid	vulnerable

python-cmarkgfm

bullseye	no-dsa
bookworm	ignored
buster	no-dsa
trixie	vulnerable
sid	vulnerable

r-cran-commonmark

bullseye	no-dsa
bookworm	ignored
buster	no-dsa
trixie	1.9.2-2 fixed
sid	1.9.2-2 fixed

ruby-commonmarker

bullseye	no-dsa
bookworm	ignored
buster	no-dsa
trixie	vulnerable
sid	vulnerable

Ubuntu Releases

Ubuntu Product

Codename

cmark

oracular	needs-triage
noble	needs-triage
mantic	ignored
lunar	ignored
kinetic	ignored
jammy	needs-triage
focal	needs-triage
bionic	needs-triage
xenial	ignored
trusty	ignored

cmark-gfm

oracular	needs-triage
noble	needs-triage
mantic	ignored
lunar	ignored
kinetic	ignored
jammy	needs-triage
focal	needs-triage
bionic	dne
xenial	ignored
trusty	ignored

Known Exploits!

Common Weakness Enumeration

CWE-400 - Uncontrolled Resource Consumption
The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

References

https://github.com/github/cmark-gfm/commit/2300c1bd2c8226108885bf019655c4159cf26b59

https://github.com/github/cmark-gfm/security/advisories/GHSA-66g8-4hjf-77xh

https://github.com/github/cmark-gfm/commit/2300c1bd2c8226108885bf019655c4159cf26b59

https://github.com/github/cmark-gfm/security/advisories/GHSA-66g8-4hjf-77xh