Lucene search

K
osvGoogleOSV:RSEC-2023-8
HistoryOct 06, 2023 - 5:00 a.m.

Denial of Service (DoS) vulnerabilities

2023-10-0605:00:00
Google
osv.dev
27
github
commonmark
software
resource exhaustion
denial of service
unbounded
out-of-bounds
upgrade
input validation
patches

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

6.4

Confidence

High

EPSS

0.001

Percentile

37.6%

cmark-gfm, GitHub’s extended version of the CommonMark library in C, suffers from multiple vulnerabilities affecting versions prior to 0.29.0.gfm.12. Various issues, including polynomial time complexity in multiple components like autolink extension, handle_close_bracket, and parsing of certain text patterns (leading >, -, _), may lead to unbounded resource exhaustion and denial of service. An out-of-bounds read in the validate_protocol function was also identified but is considered less harmful. Patches are available in versions 0.29.0.gfm.7, 0.29.0.gfm.10, and 0.29.0.gfm.12. Upgrading is advised, and users unable to upgrade should validate input from trusted sources.

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

6.4

Confidence

High

EPSS

0.001

Percentile

37.6%