CVE-2023-37463

EUVD-2023-41361
cmark-gfm is an extended version of the C reference implementation of CommonMark, a rationalized version of Markdown syntax with a spec. Three polynomial time complexity issues in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. These vulnerabilities have been patched in 0.29.0.gfm.12.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.4 MEDIUM
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H
GitHub_MCNA
6.4 MEDIUM
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 49%
Affected Products (NVD)
VendorProductVersion
githubcmark-gfm
𝑥
< 0.29.0.gfm.12
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
cmark-gfm
bookworm
ignored
bullseye
no-dsa
buster
no-dsa
sid
vulnerable
trixie
vulnerable
python-cmarkgfm
bookworm
ignored
bullseye
no-dsa
buster
no-dsa
sid
vulnerable
trixie
vulnerable
r-cran-commonmark
bookworm
ignored
bullseye
no-dsa
buster
no-dsa
sid
1.9.2-2
fixed
trixie
1.9.2-2
fixed
ruby-commonmarker
bookworm
ignored
bullseye
no-dsa
buster
no-dsa
sid
vulnerable
trixie
vulnerable
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
cmark-gfm
bionic
ignored
focal
needs-triage
jammy
needs-triage
kinetic
ignored
lunar
ignored
mantic
ignored
noble
needs-triage
oracular
needs-triage
trusty
ignored
xenial
ignored
Common Weakness Enumeration
References
https://github.com/github/cmark-gfm/releases/tag/0.29.0.gfm.12
https://github.com/github/cmark-gfm/security/advisories/GHSA-w4qg-3vf7-m9x5
https://github.com/github/cmark-gfm/releases/tag/0.29.0.gfm.12
https://github.com/github/cmark-gfm/security/advisories/GHSA-w4qg-3vf7-m9x5