Lucene search

K
osvGoogleOSV:GHSA-636F-XM5J-PJ9M
HistoryJan 24, 2023 - 6:12 p.m.

Several quadratic complexity bugs may lead to denial of service in Commonmarker

2023-01-2418:12:17
Google
osv.dev
13
commonmarker
quadratic complexity bugs
denial of service
cmark-gfm
cve-2023-22483
cve-2023-22484
cve-2023-22485
cve-2023-22486
unbounded resource exhaustion
upgrade
version 0.23.7

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

37.5%

Impact

Several quadratic complexity bugs in commonmarker’s underlying cmark-gfm library may lead to unbounded resource exhaustion and subsequent denial of service.

The following vulnerabilities were addressed:

For more information, consult the release notes for version 0.23.0.gfm.7.

Mitigation

Users are advised to upgrade to commonmarker version 0.23.7.

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

37.5%