Описание
Python-Markdown version 3.8 contain a vulnerability where malformed HTML-like sequences can cause html.parser.HTMLParser to raise an unhandled AssertionError during Markdown parsing. Because Python-Markdown does not catch this exception, any application that processes attacker-controlled Markdown may crash. This enables remote, unauthenticated Denial of Service in web applications, documentation systems, CI/CD pipelines, and any service that renders untrusted Markdown. The issue was acknowledged by the vendor and fixed in version 3.8.1. This issue causes a remote Denial of Service in any application parsing untrusted Markdown, and can lead to Information Disclosure through uncaught exceptions.
A flaw was found in Python-Markdown. Parsing crafted markdown content containing malformed HTML-like sequences causes html.parser.HTMLParser to raise an unhandled AssertionError. This unhandled exception allows an attacker to cause an application crash and potentially disclose sensitive information via its stack trace.
Отчет
To exploit this flaw, an attacker must be able to supply a specially crafted payload to be processed by an application using Python-Markdown. Additionally, the security impact of this vulnerability is limited to an information disclosure via the unhandled exception stack trace and a denial of service. There is no memory corruption or arbitrary command execution. Due to these reasons, this issue has been rated with an important severity.
Меры по смягчению последствий
To mitigate this vulnerability, wrap your markdown parsing function in a try/except block. This catches the unhandled exception, preventing both the application crash and the stack trace leak.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| External Secrets Operator for Red Hat OpenShift | external-secrets-operator/bitwarden-sdk-server-rhel9 | Not affected | ||
| External Secrets Operator for Red Hat OpenShift | external-secrets-operator/external-secrets-operator-bundle | Not affected | ||
| External Secrets Operator for Red Hat OpenShift | external-secrets-operator/external-secrets-operator-rhel9 | Not affected | ||
| External Secrets Operator for Red Hat OpenShift | external-secrets-operator/external-secrets-rhel9 | Not affected | ||
| Multicluster Engine for Kubernetes | multicluster-engine/assisted-installer-agent-rhel9 | Not affected | ||
| Multicluster Engine for Kubernetes | multicluster-engine/assisted-installer-controller-rhel9 | Not affected | ||
| Multicluster Engine for Kubernetes | multicluster-engine/assisted-installer-rhel9 | Not affected | ||
| Multicluster Engine for Kubernetes | multicluster-engine/assisted-service-8-rhel8 | Not affected | ||
| Multicluster Engine for Kubernetes | multicluster-engine/assisted-service-9-rhel9 | Not affected | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-26/controller-rhel9 | Affected |
Показывать по
Дополнительная информация
Статус:
8.2 High
CVSS3
Связанные уязвимости
Python-Markdown version 3.8 contain a vulnerability where malformed HTML-like sequences can cause html.parser.HTMLParser to raise an unhandled AssertionError during Markdown parsing. Because Python-Markdown does not catch this exception, any application that processes attacker-controlled Markdown may crash. This enables remote, unauthenticated Denial of Service in web applications, documentation systems, CI/CD pipelines, and any service that renders untrusted Markdown. The issue was acknowledged by the vendor and fixed in version 3.8.1. This issue causes a remote Denial of Service in any application parsing untrusted Markdown, and can lead to Information Disclosure through uncaught exceptions.
Python-Markdown version 3.8 contain a vulnerability where malformed HTML-like sequences can cause html.parser.HTMLParser to raise an unhandled AssertionError during Markdown parsing. Because Python-Markdown does not catch this exception, any application that processes attacker-controlled Markdown may crash. This enables remote, unauthenticated Denial of Service in web applications, documentation systems, CI/CD pipelines, and any service that renders untrusted Markdown. The issue was acknowledged by the vendor and fixed in version 3.8.1. This issue causes a remote Denial of Service in any application parsing untrusted Markdown, and can lead to Information Disclosure through uncaught exceptions.
Python-Markdown version 3.8 contain a vulnerability where malformed HT ...
8.2 High
CVSS3