Ubuntu.comUB:CVE-2024-28243CVE-2024-28243
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.9 Medium
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
9.0%
KaTeX is a JavaScript library for TeX math rendering on the web. KaTeX
users who render untrusted mathematical expressions could encounter
malicious input using \edef that causes a near-infinite loop, despite
setting maxExpand to avoid such loops. This can be used as an
availability attack, where e.g. a client rendering another user’s KaTeX
input will be unable to use the site due to memory overflow, tying up the
main thread, or stack overflow. Upgrade to KaTeX v0.16.10 to remove this
vulnerability.
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| ubuntu | 18.04 | noarch | node-katex | < any | UNKNOWN |
| ubuntu | 20.04 | noarch | node-katex | < any | UNKNOWN |
| ubuntu | 22.04 | noarch | node-katex | < any | UNKNOWN |
| ubuntu | 23.10 | noarch | node-katex | < any | UNKNOWN |
| ubuntu | 24.04 | noarch | node-katex | < any | UNKNOWN |
References
github.com/KaTeX/KaTeX/commit/e88b4c357f978b1bca8edfe3297f0aa309bcbe34
github.com/KaTeX/KaTeX/commit/e88b4c357f978b1bca8edfe3297f0aa309bcbe34 (v0.16.10)
github.com/KaTeX/KaTeX/security/advisories/GHSA-64fm-8hw2-v72w
launchpad.net/bugs/cve/CVE-2024-28243
nvd.nist.gov/vuln/detail/CVE-2024-28243
security-tracker.debian.org/tracker/CVE-2024-28243
www.cve.org/CVERecord?id=CVE-2024-28243
Related
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.9 Medium
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
9.0%