cmark-gfm Quadratic complexity bugs may lead to a denial of service

CVE-2023-22483

7.5HIGH

Key Information

Vendor: github
Status: cmark-gfm
Vendor: CVE Published:; 23 January 2023

Summary

cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. Versions prior to 0.29.0.gfm.7 are subject to several polynomial time complexity issues in cmark-gfm that may lead to unbounded resource exhaustion and subsequent denial of service. Various commands, when piped to cmark-gfm with large values, cause the running time to increase quadratically. These vulnerabilities have been patched in version 0.29.0.gfm.7.

Affected Version(s)

cmark-gfm = < 0.29.0.gfm.7

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published.
Jan 23, 2023
Vulnerability Reserved.
Dec 29, 2022

Collectors

NVD DatabaseMitre Database