CVE-2023-22485

2023-01-2401:15:10

CWE-125

CWE-91

[email protected]

web.nvd.nist.gov

github

cmark-gfm

commonmark

parsing

rendering

library

vulnerability

out-of-bounds read

nvd

cve-2023-22485

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5.4 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

34.1%

JSON

cmark-gfm is GitHub’s fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior 0.29.0.gfm.7, a crafted markdown document can trigger an out-of-bounds read in the validate_protocol function. We believe this bug is harmless in practice, because the out-of-bounds read accesses malloc metadata without causing any visible damage.This vulnerability has been patched in 0.29.0.gfm.7.

Affected configurations

Vulners

NVD

Node

githubcmark-gfmRange<0.29.0.gfm.7

VendorProductVersionCPE
githubcmark\-gfm*cpe:2.3:a:github:cmark\-gfm:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
github	cmark\-gfm	*	cpe:2.3:a:github:cmark\-gfm::::::::

CNA Affected

[
  {
    "vendor": "github",
    "product": "cmark-gfm",
    "versions": [
      {
        "version": "< 0.29.0.gfm.7",
        "status": "affected"
      }
    ]
  }
]