CVE-2022-24724
published 2022-03-03CVE-2022-24724: cmark-gfm is GitHub's extended version of the C reference implementation of CommonMark. Prior to versions 0.29.0.gfm.3 and 0.28.3.gfm.21, an integer overflow…
PriorityP259critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
4.19%
89.7th percentile
cmark-gfm is GitHub's extended version of the C reference implementation of CommonMark. Prior to versions 0.29.0.gfm.3 and 0.28.3.gfm.21, an integer overflow in cmark-gfm's table row parsing `table.c:row_from_string` may lead to heap memory corruption when parsing tables who's marker rows contain more than UINT16_MAX columns. The impact of this heap corruption ranges from Information Leak to Arbitrary Code Execution depending on how and where `cmark-gfm` is used. If `cmark-gfm` is used for rendering remote user controlled markdown, this vulnerability may lead to Remote Code Execution (RCE) in applications employing affected versions of the `cmark-gfm` library. This vulnerability has been patched in the following cmark-gfm versions 0.29.0.gfm.3 and 0.28.3.gfm.21. A workaround is available. The vulnerability exists in the table markdown extensions of cmark-gfm. Disabling the table extension will prevent this vulnerability from being triggered.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | cmark-gfm | < cmark-gfm 0.29.0.gfm.3-3 (bookworm) | cmark-gfm 0.29.0.gfm.3-3 (bookworm) |
| debian | ghostwriter | < cmark-gfm 0.29.0.gfm.3-3 (bookworm) | cmark-gfm 0.29.0.gfm.3-3 (bookworm) |
| debian | python-cmarkgfm | < cmark-gfm 0.29.0.gfm.3-3 (bookworm) | cmark-gfm 0.29.0.gfm.3-3 (bookworm) |
| debian | r-cran-commonmark | < cmark-gfm 0.29.0.gfm.3-3 (bookworm) | cmark-gfm 0.29.0.gfm.3-3 (bookworm) |
| debian | ruby-commonmarker | < cmark-gfm 0.29.0.gfm.3-3 (bookworm) | cmark-gfm 0.29.0.gfm.3-3 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| github | cmark-gfm | < 0.28.3.gfm.21 | 0.28.3.gfm.21 |
| github | cmark-gfm | < 0.29.0.gfm.3 | 0.29.0.gfm.3 |
| github | cmark-gfm | — | — |
| github | cmark-gfm | >= 0 < 0.29.0.gfm.3-3 | 0.29.0.gfm.3-3 |
| github | cmark-gfm | >= 0 < 0.29.0.gfm.3-3 | 0.29.0.gfm.3-3 |
| github | cmark-gfm | >= 0 < 0.29.0.gfm.3-3 | 0.29.0.gfm.3-3 |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability is triggered via table row parsing in cmark-gfm; detect exploitation attempts by monitoring for markdown input containing table marker rows with an abnormally large number of columns (exceeding UINT16_MAX / 65535 columns), which triggers the integer overflow in table.c:row_from_string. ↗
- →The vulnerable code path is exclusively within the table markdown extension of cmark-gfm; detection or WAF rules should focus on table syntax (pipe-delimited marker rows) in user-supplied markdown rendered by affected cmark-gfm versions (< 0.29.0.gfm.3 or < 0.28.3.gfm.21). ↗
- ·Disabling the cmark-gfm table extension entirely is a viable workaround that fully prevents this vulnerability from being triggered, at the cost of losing table rendering support. ↗
- ·Impact severity depends on deployment context: if cmark-gfm renders remote user-controlled markdown, the vulnerability may escalate to Remote Code Execution; otherwise it may be limited to information leak. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
cmark-gfm: possible RCE due to integer overflow
vendor_redhat·2022-03-03·CVSS 8.8
CVE-2022-24724 [HIGH] CWE-190 cmark-gfm: possible RCE due to integer overflow
cmark-gfm: possible RCE due to integer overflow
cmark-gfm is GitHub's extended version of the C reference implementation of CommonMark. Prior to versions 0.29.0.gfm.3 and 0.28.3.gfm.21, an integer overflow in cmark-gfm's table row parsing `table.c:row_from_string` may lead to heap memory corruption when parsing tables who's marker rows contain more than UINT16_MAX columns. The impact of this heap corruption ranges from Information Leak to Arbitrary Code Execution depending on how and where `cmark-gfm` is used. If `cmark-gfm` is used for rendering remote user controlled markdown, this vulnerability may lead to Remote Code Execution (RCE) in applications employing affected versions of the `cmark-gfm` library. This vulnerability has been patched in the following cmark-gfm versions 0.29.0.gfm
Debian
CVE-2022-24724: cmark-gfm - cmark-gfm is GitHub's extended version of the C reference implementation of Comm...
vendor_debian·2022·CVSS 8.8
CVE-2022-24724 [HIGH] CVE-2022-24724: cmark-gfm - cmark-gfm is GitHub's extended version of the C reference implementation of Comm...
cmark-gfm is GitHub's extended version of the C reference implementation of CommonMark. Prior to versions 0.29.0.gfm.3 and 0.28.3.gfm.21, an integer overflow in cmark-gfm's table row parsing `table.c:row_from_string` may lead to heap memory corruption when parsing tables who's marker rows contain more than UINT16_MAX columns. The impact of this heap corruption ranges from Information Leak to Arbitrary Code Execution depending on how and where `cmark-gfm` is used. If `cmark-gfm` is used for rendering remote user controlled markdown, this vulnerability may lead to Remote Code Execution (RCE) in applications employing affected versions of the `cmark-gfm` library. This vulnerability has been patched in the following cmark-gfm versions 0.29.0.gfm.3 and 0.28.3.gfm.21. A workaround is available.
OSV
CVE-2022-24724: cmark-gfm is GitHub's extended version of the C reference implementation of CommonMark
osv·2022-03-03·CVSS 9.8
CVE-2022-24724 [CRITICAL] CVE-2022-24724: cmark-gfm is GitHub's extended version of the C reference implementation of CommonMark
cmark-gfm is GitHub's extended version of the C reference implementation of CommonMark. Prior to versions 0.29.0.gfm.3 and 0.28.3.gfm.21, an integer overflow in cmark-gfm's table row parsing `table.c:row_from_string` may lead to heap memory corruption when parsing tables who's marker rows contain more than UINT16_MAX columns. The impact of this heap corruption ranges from Information Leak to Arbitrary Code Execution depending on how and where `cmark-gfm` is used. If `cmark-gfm` is used for rendering remote user controlled markdown, this vulnerability may lead to Remote Code Execution (RCE) in applications employing affected versions of the `cmark-gfm` library. This vulnerability has been patched in the following cmark-gfm versions 0.29.0.gfm.3 and 0.28.3.gfm.21. A workaround is available.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/166599/cmark-gfm-Integer-overflow.htmlhttps://github.com/github/cmark-gfm/security/advisories/GHSA-mc3g-88wq-6f4xhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5CYUU662VO6CCXQKVZVOHXX3RGIF2DLQ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F7V3HAM5H6YFJG2QFEXACZR3XVWFTXTC/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KH4UQA6VWVZU5EW3HNEAB7D7BTCNJSJ2/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RSKUOJ2VAYGTJXPDE2RRPMNLVVMKCI77/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TJBFIJEHJZEEDG6MO4MQHZYKUXELH77O/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z55K6VNVKO2G5SNKRCQ2KDG5SKTX5PVV/http://packetstormsecurity.com/files/166599/cmark-gfm-Integer-overflow.htmlhttps://github.com/github/cmark-gfm/security/advisories/GHSA-mc3g-88wq-6f4xhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5CYUU662VO6CCXQKVZVOHXX3RGIF2DLQ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F7V3HAM5H6YFJG2QFEXACZR3XVWFTXTC/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KH4UQA6VWVZU5EW3HNEAB7D7BTCNJSJ2/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RSKUOJ2VAYGTJXPDE2RRPMNLVVMKCI77/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TJBFIJEHJZEEDG6MO4MQHZYKUXELH77O/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z55K6VNVKO2G5SNKRCQ2KDG5SKTX5PVV/
2022-03-03
Published