CVE-2023-37463 — Uncontrolled Resource Consumption in Github Cmark-gfm

CWE-400 — Uncontrolled Resource Consumption CWE-407 — Inefficient Algorithmic Complexity5 documents4 sources

Severity

7.5HIGHNVD

EPSS

0.2%

top 56.88%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github Cmark-gfm Debian Cmark-gfm Debian Python-cmarkgfm +2 more

Timeline

PublishedJul 13

Latest updateAug 8

Description

cmark-gfm is an extended version of the C reference implementation of CommonMark, a rationalized version of Markdown syntax with a spec. Three polynomial time complexity issues in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. These vulnerabilities have been patched in 0.29.0.gfm.12.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages6 packages

▶NVDgithub/cmark-gfm< 0.29.0.gfm.12

▶debiandebian/cmark-gfm< cmark-gfm 0.29.0.gfm.13-1 (forky)

▶debiandebian/python-cmarkgfm< cmark-gfm 0.29.0.gfm.13-1 (forky)

▶Debiangithub/cmark-gfm< 0.29.0.gfm.13-1+1

▶debiandebian/r-cran-commonmark< cmark-gfm 0.29.0.gfm.13-1 (forky)

🔴Vulnerability Details

GHSA

Several quadratic complexity bugs may lead to denial of service in Commonmarker↗2023-08-08

▶

OSV

Several quadratic complexity bugs may lead to denial of service in Commonmarker↗2023-08-08

▶

OSV

CVE-2023-37463: cmark-gfm is an extended version of the C reference implementation of CommonMark, a rationalized version of Markdown syntax with a spec↗2023-07-13

▶

📋Vendor Advisories

Debian

CVE-2023-37463: cmark-gfm - cmark-gfm is an extended version of the C reference implementation of CommonMark...↗2023

▶