CVE-2023-39663

2023-08-2900:00:00

ubuntu.com

mathjax

redos

vulnerabilities

dispute

vendor

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.0005 Low

EPSS

Percentile

17.0%

JSON

DISPUTED Mathjax up to v2.7.9 was discovered to contain two Regular
expression Denial of Service (ReDoS) vulnerabilities in MathJax.js via the
components pattern and markdownPattern. NOTE: the vendor disputes this
because the regular expressions are not applied to user input; thus, there
is no risk.

Notes

Author	Note
alexmurray	Upstream dispute this CVE since these components are internal to MathJax.js and cannot be influenced by a user / attacker so there is no way to abuse this as a ReDoS