Several quadratic complexity bugs may lead to denial of service in Commonmarker

2023-01-2418:12:17

Google

osv.dev

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

34.1%

JSON

Impact

Several quadratic complexity bugs in commonmarker’s underlying cmark-gfm library may lead to unbounded resource exhaustion and subsequent denial of service.

The following vulnerabilities were addressed:

For more information, consult the release notes for version 0.23.0.gfm.7.

Mitigation

Users are advised to upgrade to commonmarker version 0.23.7.

CPENameOperatorVersion
commonmarkereq0.14.11
commonmarkereq0.15.0
commonmarkereq0.16.0
commonmarkereq0.20.1
commonmarkereq0.18.2
commonmarkereq0.10.0
commonmarkereq0.17.6
commonmarkereq0.17.13
commonmarkereq0.17.7.1
commonmarkereq0.19.0

Name	Operator	Version
commonmarker	eq	0.14.11
commonmarker	eq	0.15.0
commonmarker	eq	0.16.0
commonmarker	eq	0.20.1
commonmarker	eq	0.18.2
commonmarker	eq	0.10.0
commonmarker	eq	0.17.6
commonmarker	eq	0.17.13
commonmarker	eq	0.17.7.1
commonmarker	eq	0.19.0