cmark-gfm out-of-bounds read in validate_protocol
CVE-2023-22485

5.3MEDIUM

Key Information:

Vendor: Github
Status: Cmark-gfm
Vendor: CVE Published:; 24 January 2023

What is CVE-2023-22485?

cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior 0.29.0.gfm.7, a crafted markdown document can trigger an out-of-bounds read in the validate_protocol function. We believe this bug is harmless in practice, because the out-of-bounds read accesses malloc metadata without causing any visible damage.This vulnerability has been patched in 0.29.0.gfm.7.

Affected Version(s)

cmark-gfm < 0.29.0.gfm.7

References

https://github.com/github/cmark-gfm/security/advisories/G...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 24, 2023
Vulnerability Reserved
Dec 29, 2022

Github

What is CVE-2023-22485?

Affected Version(s)

References

CVSS V3.1

Timeline