CVE-2024-22051

CommonMarker versions prior to 0.23.4 are at risk of an integer overflow vulnerability. This vulnerability can result in possibly unauthenticated remote attackers to cause heap memory corruption, potentially leading to an information leak or remote code execution, via parsing tables with marker rows that contain more than UINT16_MAX columns.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
VulnCheckCNA
---
---
CVEADP
---
---
CISA-ADPADP
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 91%
VendorProductVersion
githubcmark-gfm
𝑥
< 0.28.3.gfm.21
githubcmark-gfm
0.29.0.gfm.0 ≤
𝑥
< 0.29.0.gfm.3
gjtorikiancommonmarker
𝑥
< 0.23.4
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
ruby-commonmarker
bullseye
ignored
buster
no-dsa
bookworm
0.23.6-1
fixed
sid
0.23.10-1
fixed
trixie
0.23.10-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
ruby-commonmarker
plucky
not-affected
oracular
not-affected
noble
not-affected
mantic
not-affected
lunar
not-affected
jammy
needs-triage
focal
needs-triage
bionic
ignored
xenial
ignored
trusty
ignored
Common Weakness Enumeration
References
https://github.com/advisories/GHSA-fmx4-26r3-wxpf
https://github.com/github/cmark-gfm/security/advisories/GHSA-mc3g-88wq-6f4x
https://github.com/gjtorikian/commonmarker/commit/ab4504fd17460627a6ab255bc3c63e8e5fc6aed3
https://github.com/gjtorikian/commonmarker/security/advisories/GHSA-fmx4-26r3-wxpf
https://vulncheck.com/advisories/vc-advisory-GHSA-fmx4-26r3-wxpf
https://github.com/advisories/GHSA-fmx4-26r3-wxpf
https://github.com/github/cmark-gfm/security/advisories/GHSA-mc3g-88wq-6f4x
https://github.com/gjtorikian/commonmarker/commit/ab4504fd17460627a6ab255bc3c63e8e5fc6aed3
https://github.com/gjtorikian/commonmarker/security/advisories/GHSA-fmx4-26r3-wxpf
https://vulncheck.com/advisories/vc-advisory-GHSA-fmx4-26r3-wxpf