Lucene search

[email protected]CVE-2021-21306

HistoryFeb 08, 2021 - 10:15 p.m.

CVE-2021-21306

2021-02-0822:15:12

CWE-400

[email protected]

web.nvd.nist.gov

marked

markdown parser

npm package

open source

cve-2021-21306

security vulnerability

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.002 Low

EPSS

Percentile

56.1%

JSON

Marked is an open-source markdown parser and compiler (npm package “marked”). In marked from version 1.1.1 and before version 2.0.0, there is a Regular expression Denial of Service vulnerability. This vulnerability can affect anyone who runs user generated code through marked. This vulnerability is fixed in version 2.0.0.

Affected configurations

Vulners

NVD

Node

markedjsmarkedRange1.1.1–2.0.0

CPENameOperatorVersion
marked_project:markedmarked project markedlt2.0.0

CPE	Name	Operator	Version
marked_project:marked	marked project marked	lt	2.0.0

CNA Affected

[
  {
    "product": "marked",
    "vendor": "markedjs",
    "versions": [
      {
        "status": "affected",
        "version": ">= 1.1.1, < 2.0.0"
      }
    ]
  }
]