CVE-2023-28626 – comrak

Package

Manager: cargo
Name: comrak
Vulnerable Version: >=0 <0.17.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00254 pctl0.48592

Details

Comrak vulnerable to quadratic runtime issues when parsing Markdown (GHSL-2023-047) ### Impact A range of quadratic parsing issues from `cmark`/`cmark-gfm` are also present in Comrak. These can be used to craft denial-of-service attacks on services that use Comrak to parse Markdown. ### Patches 0.17.0 contains fixes to known quadratic parsing issues. ### Workarounds n/a ### References * https://github.com/commonmark/cmark/issues/255 * https://github.com/commonmark/cmark/issues/389 * https://github.com/commonmark/cmark/issues/373 * https://github.com/commonmark/cmark/issues/299 * https://github.com/commonmark/cmark/issues/388 * https://github.com/commonmark/cmark/issues/284 * https://github.com/commonmark/cmark/issues/218 * https://github.com/commonmark/cmark/pull/232 * https://github.com/github/cmark-gfm/blob/c32ef78bae851cb83b7ad52d0fbff880acdcd44a/test/pathological_tests.py#L63-L65 * https://github.com/github/cmark-gfm/blob/c32ef78bae851cb83b7ad52d0fbff880acdcd44a/test/pathological_tests.py#L87-L89

Metadata

Created: 2023-03-28T14:40:29Z
Modified: 2023-03-28T23:08:31Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-8hqf-xjwp-p67v/GHSA-8hqf-xjwp-p67v.json
CWE IDs: ["CWE-400"]
Alternative ID: GHSA-8hqf-xjwp-p67v
Finding: F067
Auto approve: 1