cmark-gfm out-of-bounds read in validate_protocol

CVE-2023-22485

5.3MEDIUM

Key Information

Vendor: github
Status: cmark-gfm
Vendor: CVE Published:; 24 January 2023

Summary

cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior 0.29.0.gfm.7, a crafted markdown document can trigger an out-of-bounds read in the `validate_protocol` function. We believe this bug is harmless in practice, because the out-of-bounds read accesses `malloc` metadata without causing any visible damage.This vulnerability has been patched in 0.29.0.gfm.7.

Affected Version(s)

cmark-gfm = < 0.29.0.gfm.7

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published.
Jan 24, 2023
Vulnerability Reserved.
Dec 29, 2022

Collectors

NVD DatabaseMitre Database