CVE-2023-42821

Published: Sep 22, 2023

Modified: Sep 24, 2024

PUBLISHED

CVSS v3.1

7.5

HIGH

Description

The package `github.com/gomarkdown/markdown` is a Go library for parsing Markdown text and rendering as HTML. Prior to pseudoversion `0.0.0-20230922105210-14b16010c2ee`, which corresponds with commit `14b16010c2ee7ff33a940a541d993bd043a88940`, parsing malformed markdown input with parser that uses parser.Mmark extension could result in out-of-bounds read vulnerability. To exploit the vulnerability, parser needs to have `parser.Mmark` extension set. The panic occurs inside the `citation.go` file on the line 69 when the parser tries to access the element past its length. This can result in a denial of service. Commit `14b16010c2ee7ff33a940a541d993bd043a88940`/pseudoversion `0.0.0-20230922105210-14b16010c2ee` contains a patch for this issue.

Vendor	Product	Versions
gomarkdown	markdown	affected `< 0.0.0-20230922105210-14b16010c2ee`

Weaknesses (CWE)

CWE-125

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

References

https://github.com/gomarkdown/markdown/security/advisories/GHSA-m9xq-6h2j-65r2

x_refsource_CONFIRM

https://github.com/gomarkdown/markdown/commit/14b16010c2ee7ff33a940a541d993bd043a88940

x_refsource_MISC

https://github.com/gomarkdown/markdown/blob/7478c230c7cd3e7328803d89abe591d0b61c41e4/parser/citation.go#L69

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2023-42821

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References