CVE-2022-39209

Опубликовано: 15 сент. 2022

Источник: nvd

CVSS3: 7.5

CVSS3: 6.5

EPSS Низкий

Описание

cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior to 0.29.0.gfm.6 a polynomial time complexity issue in cmark-gfm's autolink extension may lead to unbounded resource exhaustion and subsequent denial of service. Users may verify the patch by running python3 -c 'print("![l"* 100000 + "\n")' | ./cmark-gfm -e autolink, which will resource exhaust on unpatched cmark-gfm but render correctly on patched cmark-gfm. This vulnerability has been patched in 0.29.0.gfm.6. Users are advised to upgrade. Users unable to upgrade should disable the use of the autolink extension.

Ссылки

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:github:cmark-gfm:*:*:*:*:*:*:*:*

Версия до 0.29.0.gfm.6 (исключая)

Конфигурация 2

Одно из

cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*

EPSS

Процентиль: 78%

0.01103

Низкий

7.5 High

CVSS3

6.5 Medium

CVSS3

Дефекты

CWE-400

CWE-407

Связанные уязвимости

CVE-2022-39209

CVSS3: 7.5

ubuntu

больше 3 лет назад

cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior to 0.29.0.gfm.6 a polynomial time complexity issue in cmark-gfm's autolink extension may lead to unbounded resource exhaustion and subsequent denial of service. Users may verify the patch by running `python3 -c 'print("![l"* 100000 + "\n")' | ./cmark-gfm -e autolink`, which will resource exhaust on unpatched cmark-gfm but render correctly on patched cmark-gfm. This vulnerability has been patched in 0.29.0.gfm.6. Users are advised to upgrade. Users unable to upgrade should disable the use of the autolink extension.

CVE-2022-39209

CVSS3: 6.5

redhat

больше 3 лет назад

cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior to 0.29.0.gfm.6 a polynomial time complexity issue in cmark-gfm's autolink extension may lead to unbounded resource exhaustion and subsequent denial of service. Users may verify the patch by running `python3 -c 'print("![l"* 100000 + "\n")' | ./cmark-gfm -e autolink`, which will resource exhaust on unpatched cmark-gfm but render correctly on patched cmark-gfm. This vulnerability has been patched in 0.29.0.gfm.6. Users are advised to upgrade. Users unable to upgrade should disable the use of the autolink extension.

CVE-2022-39209

CVSS3: 7.5

debian

больше 3 лет назад

cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and renderin ...

EPSS

Процентиль: 78%

0.01103

Низкий

7.5 High

CVSS3

6.5 Medium

CVSS3

Дефекты

CWE-400

CWE-407