CVE-2023-24824 (High) detected in commonmarker-0.17.7.1.gem
mend-bolt-for-github opened this issue · 0 comments
CVE-2023-24824 - High Severity Vulnerability
Vulnerable Library - commonmarker-0.17.7.1.gem
A fast, safe, extensible parser for CommonMark. This wraps the official libcmark library.
Library home page: https://rubygems.org/gems/commonmarker-0.17.7.1.gem
Dependency Hierarchy:
- github-pages-175.gem (Root Library)
- jekyll-commonmark-ghpages-0.1.3.gem
- ❌ commonmarker-0.17.7.1.gem (Vulnerable Library)
- jekyll-commonmark-ghpages-0.1.3.gem
Found in base branch: master
Vulnerability Details
cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. A polynomial time complexity issue in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. This CVE covers quadratic complexity issues when parsing text which leads with either large numbers of > or - characters. This issue has been addressed in version 0.29.0.gfm.10. Users are advised to upgrade. Users unable to upgrade should validate that their input comes from trusted sources.
Publish Date: 2023-03-31
URL: CVE-2023-24824
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-48wp-p9qv-4j64
Release Date: 2023-03-31
Fix Resolution: commonmarker - 0.23.9
Step up your Open Source Security Game with Mend here