Lucene search

Veracode Vulnerability DatabaseVERACODE:33589

HistoryJan 11, 2022 - 9:54 a.m.

Regular Expression Denial Of Service (ReDoS)

2022-01-1109:54:41

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

JSON

markdown-it is vulnerable to regular expression denial of service. An attacker is able to slow down the whole system by injecting a string of length greater than 50 thousand characters.

CPENameOperatorVersion
markdown-itle12.3.1
markdown-itle12.3.1
node-markdown-it:bookwormeq10.0.0+dfsg-2
node-markdown-it:sideq10.0.0+dfsg-2

Name	Operator	Version
markdown-it	le	12.3.1
markdown-it	le	12.3.1
node-markdown-it:bookworm	eq	10.0.0+dfsg-2
node-markdown-it:sid	eq	10.0.0+dfsg-2

References

github.com/markdown-it/markdown-it/commit/ffc49ab46b5b751cd2be0aabb146f2ef84986101

github.com/markdown-it/markdown-it/security/advisories/GHSA-6vfc-qv3f-vr6c

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

JSON

Related for VERACODE:33589