GoogleOSV:GHSA-HJCP-J389-59FFRegular Expression Denial of Service in marked
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
0.005 Low
EPSS
Percentile
75.2%
Versions 0.3.3 and earlier of marked are affected by a regular expression denial of service ( ReDoS ) vulnerability when passed inputs that reach the em inline rule.
Recommendation
Update to version 0.3.4 or later.
References
www.openwall.com/lists/oss-security/2016/04/20/11
github.com/advisories/GHSA-hjcp-j389-59ff
github.com/chjj/marked
github.com/chjj/marked/issues/497
lists.fedoraproject.org/archives/list/[email protected]/message/BO2RMVVZVV6NFTU46B5RYRK7ZCXYARZS
lists.fedoraproject.org/archives/list/[email protected]/message/M6BJG6RGDH7ZWVVAUFBFI5L32RSMQN2S
nvd.nist.gov/vuln/detail/CVE-2015-8854
support.f5.com/csp/article/K05052081?utm_source=f5support&utm_medium=RSS
www.npmjs.com/advisories/23
www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
0.005 Low
EPSS
Percentile
75.2%