Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add commonmark vulnerabilities #7

Merged
merged 1 commit into from
Oct 6, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion latest-id.txt
Original file line number Diff line number Diff line change
@@ -1 +1 @@
2023-5
2023-8
40 changes: 40 additions & 0 deletions vulns/commonmark/RSEC-2023-6.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
id: RSEC-2023-6
details: The commonmark package, specifically in its dependency on GitHub Flavored Markdown before version 0.29.0.gfm.1,
has a vulnerability related to time complexity. Parsing certain crafted markdown tables can take O(n * n) time,
leading to potential Denial of Service attacks. This issue does not affect the upstream cmark project and has been
fixed in version 0.29.0.gfm.1.
affected:
- package:
name: commonmark
ecosystem: CRAN
ranges:
- type: ECOSYSTEM
events:
- introduced: "0.2"
- fixed: "1.8"
versions:
- "0.2"
- "0.4"
- "0.5"
- "0.6"
- "0.7"
- "0.8"
- "0.9"
- "1.0"
- "1.1"
- "1.2"
- "1.4"
- "1.5"
- "1.6"
- "1.7"
references:
- type: WEB
url: https://security-tracker.debian.org/tracker/CVE-2020-5238
- type: WEB
url: https://github.com/r-lib/commonmark/issues/13
- type: WEB
url: https://github.com/r-lib/commonmark/pull/18
aliases:
- CVE-2020-5238
modified: "2023-10-06T05:00:00.600Z"
published: "2023-10-06T05:00:00.600Z"
42 changes: 42 additions & 0 deletions vulns/commonmark/RSEC-2023-7.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
id: RSEC-2023-7
details: cmark-gfm, GitHub's extended CommonMark library, has multiple vulnerabilities. Versions prior to 0.29.0.gfm.6
suffer from a polynomial time complexity issue in the autolink extension, causing denial of service. Also, versions
before 0.29.0.gfm.3 and 0.28.3.gfm.21 contain an integer overflow in table row parsing, leading to heap corruption and
potential Arbitrary Code Execution. Patches are available in versions 0.29.0.gfm.6, 0.29.0.gfm.3, and 0.28.3.gfm.21.
Mitigations include upgrading or disabling affected extensions.
affected:
- package:
name: commonmark
ecosystem: CRAN
ranges:
- type: ECOSYSTEM
events:
- introduced: "0.2"
- fixed: "1.8"
versions:
- "0.2"
- "0.4"
- "0.5"
- "0.6"
- "0.7"
- "0.8"
- "0.9"
- "1.0"
- "1.1"
- "1.2"
- "1.4"
- "1.5"
- "1.6"
- "1.7"
references:
- type: WEB
url: https://security-tracker.debian.org/tracker/CVE-2022-39209
- type: WEB
url: https://security-tracker.debian.org/tracker/CVE-2022-24724
- type: WEB
url: https://github.com/r-lib/commonmark/pull/18
aliases:
- CVE-2022-39209
- CVE-2022-24724
modified: "2023-10-06T05:00:00.600Z"
published: "2023-10-06T05:00:00.600Z"
59 changes: 59 additions & 0 deletions vulns/commonmark/RSEC-2023-8.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
id: RSEC-2023-8
details: cmark-gfm, GitHub's extended version of the CommonMark library in C, suffers from multiple vulnerabilities
affecting versions prior to 0.29.0.gfm.12. Various issues, including polynomial time complexity in multiple components
like autolink extension, handle_close_bracket, and parsing of certain text patterns (leading `>`, `-`, `_`), may lead
to unbounded resource exhaustion and denial of service. An out-of-bounds read in the `validate_protocol` function was
also identified but is considered less harmful. Patches are available in versions 0.29.0.gfm.7, 0.29.0.gfm.10, and
0.29.0.gfm.12. Upgrading is advised, and users unable to upgrade should validate input from trusted sources.
affected:
- package:
name: commonmark
ecosystem: CRAN
ranges:
- type: ECOSYSTEM
events:
- introduced: "0.2"
versions:
- "0.2"
- "0.4"
- "0.5"
- "0.6"
- "0.7"
- "0.8"
- "0.9"
- "1.0"
- "1.1"
- "1.2"
- "1.4"
- "1.5"
- "1.6"
- "1.7"
- "1.8"
- "1.9"
references:
- type: WEB
url: https://security-tracker.debian.org/tracker/CVE-2023-37463
- type: WEB
url: https://security-tracker.debian.org/tracker/CVE-2023-26485
- type: WEB
url: https://security-tracker.debian.org/tracker/CVE-2023-24824
- type: WEB
url: https://security-tracker.debian.org/tracker/CVE-2023-22486
- type: WEB
url: https://security-tracker.debian.org/tracker/CVE-2023-22485
- type: WEB
url: https://security-tracker.debian.org/tracker/CVE-2023-22484
- type: WEB
url: https://security-tracker.debian.org/tracker/CVE-2023-22483
- type: WEB
url: https://github.com/r-lib/commonmark/issues/26
aliases:
- CVE-2023-37463
- CVE-2023-26485
- CVE-2023-24824
- CVE-2023-22486
- CVE-2023-22485
- CVE-2023-22484
- CVE-2023-22483
modified: "2023-10-06T05:00:00.600Z"
published: "2023-10-06T05:00:00.600Z"