Описание
Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression block.def may cause catastrophic backtracking against some strings and lead to a regular expression denial of service (ReDoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
A vulnerability was found in the markedjs package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Service Mesh 2.0 | servicemesh-grafana | Affected | ||
| OpenShift Service Mesh 2.1 | servicemesh-grafana | Will not fix | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/console-rhel8 | Will not fix | ||
| Red Hat build of Apicurio Registry 2 | marked | Not affected | ||
| Red Hat Ceph Storage 5 | ceph | Affected | ||
| Red Hat Ceph Storage 5 | rhceph/rhceph-5-dashboard-rhel8 | Affected | ||
| Red Hat Data Grid 8 | marked | Not affected | ||
| Red Hat Enterprise Linux 8 | 389-ds:1.4/389-ds-base | Will not fix | ||
| Red Hat Enterprise Linux 8 | cockpit | Not affected | ||
| Red Hat Enterprise Linux 8 | cockpit-appstream | Not affected |
Показывать по
Дополнительная информация
Статус:
7.5 High
CVSS3
Связанные уязвимости
Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression `block.def` may cause catastrophic backtracking against some strings and lead to a regular expression denial of service (ReDoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression `block.def` may cause catastrophic backtracking against some strings and lead to a regular expression denial of service (ReDoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
Marked is a markdown parser and compiler. Prior to version 4.0.10, the ...
Inefficient Regular Expression Complexity in marked
Уязвимость анализатора и компилятора уценки Marked, связанная с некорректной обработкой регулярного выражения, позволяющая нарушителю вызвать отказ в обслуживании
7.5 High
CVSS3