CVE-2022-24724 Integer overflow in table parsing extension leads to heap memory corruption

2022-03-0319:35:09

CWE-190

GitHub_M

www.cve.org

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

10 High

AI Score

Confidence

High

0.065 Low

EPSS

Percentile

93.7%

JSON

cmark-gfm is GitHub’s extended version of the C reference implementation of CommonMark. Prior to versions 0.29.0.gfm.3 and 0.28.3.gfm.21, an integer overflow in cmark-gfm’s table row parsing table.c:row_from_string may lead to heap memory corruption when parsing tables who’s marker rows contain more than UINT16_MAX columns. The impact of this heap corruption ranges from Information Leak to Arbitrary Code Execution depending on how and where cmark-gfm is used. If cmark-gfm is used for rendering remote user controlled markdown, this vulnerability may lead to Remote Code Execution (RCE) in applications employing affected versions of the cmark-gfm library. This vulnerability has been patched in the following cmark-gfm versions 0.29.0.gfm.3 and 0.28.3.gfm.21. A workaround is available. The vulnerability exists in the table markdown extensions of cmark-gfm. Disabling the table extension will prevent this vulnerability from being triggered.

CNA Affected

[
  {
    "product": "cmark-gfm",
    "vendor": "github",
    "versions": [
      {
        "status": "affected",
        "version": "< 0.28.3.gfm.21"
      },
      {
        "status": "affected",
        "version": ">= 0.29.0.gfm.0, < 0.29.0.gfm.3"
      }
    ]
  }
]