CVE-2023-37463 Quadratic complexity bugs may lead to a denial of service

2023-07-1319:22:16

CWE-400

GitHub_M

www.cve.org

cmark-gfm

security update

denial of service vulnerabilities

0.29.0.gfm.12

resource exhaustion

commonmark

6.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H

7.9 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

21.0%

JSON

cmark-gfm is an extended version of the C reference implementation of CommonMark, a rationalized version of Markdown syntax with a spec. Three polynomial time complexity issues in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. These vulnerabilities have been patched in 0.29.0.gfm.12.

CNA Affected

[
  {
    "vendor": "github",
    "product": "cmark-gfm",
    "versions": [
      {
        "version": "< 0.29.0.gfm.12",
        "status": "affected"
      }
    ]
  }
]