CVE-2020-5238 — Improper Input Validation in Github Cmark-gfm

CWE-20 — Improper Input Validation6 documents5 sources

Severity

6.5MEDIUMNVD

EPSS

0.5%

top 33.59%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github Cmark-gfm Github Flavored Markdown Project Github Flavored Markdown Debian Cmark-gfm +5 more

Timeline

PublishedJul 1

Latest updateJul 7

Description

The table extension in GitHub Flavored Markdown before version 0.29.0.gfm.1 takes O(n * n) time to parse certain inputs. An attacker could craft a markdown table which would take an unreasonably long time to process, causing a denial of service. This issue does not affect the upstream cmark project. The issue has been fixed in version 0.29.0.gfm.1.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages8 packages

▶NVDgithub_flavored_markdown_project/github_flavored_markdown< 0.29.0.gfm.1

▶CVEListV5github/cmark-gfm< 0.29.0.gfm.1

▶Debiangithub/cmark-gfm< 0.29.0.gfm.2-1+2

▶debiandebian/cmark-gfm< cmark-gfm 0.29.0.gfm.2-1 (bookworm)

▶debiandebian/python-cmarkgfm< cmark-gfm 0.29.0.gfm.2-1 (bookworm)

Also affects: Fedora 31, 32, 33

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2020-5238: The table extension in GitHub Flavored Markdown before version 0↗2020-07-01

▶

📋Vendor Advisories

Red Hat

cmark-gfm: Exponential time to parse certain inputs could lead to DoS↗2020-07-01

▶

Debian

CVE-2020-5238: cmark-gfm - The table extension in GitHub Flavored Markdown before version 0.29.0.gfm.1 take...↗2020

▶

💬Community

Bugzilla

CVE-2020-5238 cmark-gfm: Exponential time to parse certain inputs could lead to DoS↗2020-07-07

▶

Bugzilla

CVE-2020-5238 ghc-cmark-gfm: cmark: Exponential time to parse certain inputs could lead to DoS. [fedora-all]↗2020-07-07

▶