cmark-gfm Quadratic complexity bug in handle_close_bracket may lead to a denial of service

CVE-2023-22486

7.5HIGH

Key Information

Vendor: github
Status: cmark-gfm
Vendor: CVE Published:; 26 January 2023

Summary

cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. Versions prior to 0.29.0.gfm.7 contain a polynomial time complexity issue in handle_close_bracket that may lead to unbounded resource exhaustion and subsequent denial of service. This vulnerability has been patched in 0.29.0.gfm.7.

Affected Version(s)

cmark-gfm = < 0.29.0.gfm.7

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published.
Jan 26, 2023
Vulnerability Reserved.
Dec 29, 2022

Collectors

NVD DatabaseMitre Database