CVE-2024-22051 — Integer Overflow or Wraparound in Commonmarker

CWE-190 — Integer Overflow or Wraparound6 documents5 sources

Severity

9.8CRITICALNVD

EPSS

7.1%

top 8.42%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github Cmark-gfm Gjtorikian Commonmarker Debian Ruby-commonmarker

Timeline

PublishedJan 4

Description

CommonMarker versions prior to 0.23.4 are at risk of an integer overflow vulnerability. This vulnerability can result in possibly unauthenticated remote attackers to cause heap memory corruption, potentially leading to an information leak or remote code execution, via parsing tables with marker rows that contain more than UINT16_MAX columns.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

▶NVDgjtorikian/commonmarker< 0.23.4

▶RubyGemsgjtorikian/commonmarker< 0.23.4

▶debiandebian/ruby-commonmarker< ruby-commonmarker 0.23.4-1 (bookworm)

▶NVDgithub/cmark-gfm0.29.0.gfm.0 — 0.29.0.gfm.3+1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2024-22051: CommonMarker versions prior to 0↗2024-01-04

▶

GHSA

Integer overflow in cmark-gfm table parsing extension leads to heap memory corruption↗2022-03-03

▶

OSV

Integer overflow in cmark-gfm table parsing extension leads to heap memory corruption↗2022-03-03

▶

📋Vendor Advisories

Red Hat

commonmarker: integer overflow in cmark-gfm's table row parsing may lead to heap memory corruption↗2024-01-04

▶

Debian

CVE-2024-22051: ruby-commonmarker - CommonMarker versions prior to 0.23.4 are at risk of an integer overflow vulnera...↗2024

▶