CVE-2023-42821 — Out-of-bounds Read in Markdown

CWE-125 — Out-of-bounds Read7 documents5 sources

Severity

7.5HIGHNVD

EPSS

0.5%

top 34.80%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gomarkdown Markdown Github.com Gomarkdown Markdown Debian Golang-github-gomarkdown-markdown +4 more

Timeline

PublishedSep 22

Description

The package `github.com/gomarkdown/markdown` is a Go library for parsing Markdown text and rendering as HTML. Prior to pseudoversion `0.0.0-20230922105210-14b16010c2ee`, which corresponds with commit `14b16010c2ee7ff33a940a541d993bd043a88940`, parsing malformed markdown input with parser that uses parser.Mmark extension could result in out-of-bounds read vulnerability. To exploit the vulnerability, parser needs to have `parser.Mmark` extension set. The panic occurs inside the `citation.go` file …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages7 packages

▶CVEListV5gomarkdown/markdown< 0.0.0-20230922105210-14b16010c2ee

▶Gogithub.com/gomarkdown_markdown< 0.0.0-20230922105210-14b16010c2ee

▶debiandebian/golang-github-gomarkdown-markdown< golang-github-gomarkdown-markdown 0.0~git20231115.a660076-1 (forky)

▶msrcmsrc/cbl_mariner_2.0_arm

▶msrcmsrc/cbl_mariner_2.0_x64

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2023-42821: The package `github↗2023-09-22

▶

OSV

Markdown vulnerable to Out-of-bounds Read while parsing citations↗2023-09-22

▶

OSV

Parser out-of-bounds read caused by a malformed markdown input in github.com/gomarkdown/markdown↗2023-09-22

▶

GHSA

Markdown vulnerable to Out-of-bounds Read while parsing citations↗2023-09-22

▶

📋Vendor Advisories

Microsoft

github.com/gomarkdown/markdown Out-of-bounds Read while parsing citations↗2023-09-12

▶

Debian

CVE-2023-42821: golang-github-gomarkdown-markdown - The package `github.com/gomarkdown/markdown` is a Go library for parsing Markdow...↗2023

▶