Описание
A vulnerability was found in CodeMirror up to 5.17.0 and classified as problematic. Affected by this issue is some unknown functionality of the file mode/markdown/markdown.js of the component Markdown Mode. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Not all code samples mentioned in the GitHub issue can be found. The repository mentions, that "CodeMirror 6 exists, and is [...] much more actively maintained."
A flaw was found in codemirror. The markdown.js file within the Markdown Mode component exhibits inefficient regular expression usage, leading to excessive resource consumption. This flaw allows a remote attacker to provide a specially crafted file. This inefficient processing can result in a denial of service.
Отчет
This vulnerability is an inefficient regular expression complexity issue, also known as a Regular Expression Denial of Service (ReDoS), in the Markdown mode component. A remote, unauthenticated attacker can submit a specially crafted input that causes a denial of service (DoS) due to excessive CPU consumption. While the vulnerability is easily exploitable, it only impacts the availability of the component processing the markdown, and does not lead to a compromise of data or system integrity. The assigned severity is Moderate because the flaw, while easy to exploit remotely without authentication, has its impact limited to a denial of service. It does not allow for unauthorized access to data or arbitrary code execution, which would warrant a higher rating.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Serverless | openshift-serverless-1/kn-backstage-plugins-eventmesh-rhel8 | Not affected | ||
| Red Hat Developer Hub | rhdh/rhdh-hub-rhel9 | Not affected | ||
| Red Hat Developer Hub | rhdh/rhdh-rhel9-operator | Not affected | ||
| Red Hat Enterprise Linux 10 | gjs | Not affected | ||
| Red Hat Enterprise Linux 7 | firefox | Not affected | ||
| Red Hat Enterprise Linux 7 | thunderbird | Not affected | ||
| Red Hat Enterprise Linux 8 | mozjs60 | Not affected | ||
| Red Hat Enterprise Linux 9 | gjs | Not affected | ||
| Red Hat Enterprise Linux 9 | polkit | Not affected | ||
| Red Hat Fuse 7 | io.hawt-hawtio-online | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
5.3 Medium
CVSS3
Связанные уязвимости
A vulnerability was found in CodeMirror up to 5.17.0 and classified as problematic. Affected by this issue is some unknown functionality of the file mode/markdown/markdown.js of the component Markdown Mode. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Not all code samples mentioned in the GitHub issue can be found. The repository mentions, that "CodeMirror 6 exists, and is [...] much more actively maintained."
A vulnerability was found in CodeMirror up to 5.17.0 and classified as problematic. Affected by this issue is some unknown functionality of the file mode/markdown/markdown.js of the component Markdown Mode. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Not all code samples mentioned in the GitHub issue can be found. The repository mentions, that "CodeMirror 6 exists, and is [...] much more actively maintained."
A vulnerability was found in CodeMirror up to 5.17.0 and classified as ...
A vulnerability was found in CodeMirror up to 5.17.0 and classified as problematic. Affected by this issue is some unknown functionality of the file mode/markdown/markdown.js of the component Markdown Mode. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Not all code samples mentioned in the GitHub issue can be found. The repository mentions, that "CodeMirror 6 exists, and is [...] much more actively maintained."
EPSS
5.3 Medium
CVSS3