Lucene search

GitHub Advisory DatabaseGHSA-7VH7-FW88-WJ87

HistoryAug 08, 2023 - 5:12 p.m.

Several quadratic complexity bugs may lead to denial of service in Commonmarker

2023-08-0817:12:00

CWE-407

GitHub Advisory Database

github.com

commonmarker

cmark-gfm

denial of service

cve-2023-37463

upgrade

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

21.1%

JSON

Impact

Several quadratic complexity bugs in commonmarker’s underlying cmark-gfm library may lead to unbounded resource exhaustion and subsequent denial of service.

The following vulnerabilities were addressed:

CVE-2023-37463

For more information, consult the release notes for version 0.29.0.gfm.12.

Mitigation

Users are advised to upgrade to commonmarker version 0.23.10.

Affected configurations

Vulners

Node

gjtorikiancommonmarkerRange<0.23.10ruby

CPENameOperatorVersion
commonmarkerlt0.23.10

CPE	Name	Operator	Version
	commonmarker	lt	0.23.10

References

github.com/advisories/GHSA-7vh7-fw88-wj87

github.com/github/cmark-gfm/releases/tag/0.29.0.gfm.12

github.com/gjtorikian/commonmarker/commit/db8cd377b54541f7fd484d168b7682a282a680f7

github.com/gjtorikian/commonmarker/security/advisories/GHSA-7vh7-fw88-wj87

rubygems.org/gems/commonmarker/versions/0.23.10

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

21.1%

JSON

Related for GHSA-7VH7-FW88-WJ87