Описание
Versions of the package markdown-it from 13.0.0 and before 14.1.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the use of the regex /*+$/ in the linkify function. An attacker can supply a long sequence of * characters followed by a non-matching character, which triggers excessive backtracking and may lead to a denial-of-service condition.
A flaw was found in markdown-it. A remote attacker can exploit this Regular Expression Denial of Service (ReDoS) vulnerability by providing a specially crafted input containing a long sequence of asterisk characters followed by a non-matching character to the linkify function. This triggers excessive backtracking in the regular expression, leading to a denial-of-service condition.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Logging Subsystem for Red Hat OpenShift | openshift-logging/elasticsearch6-rhel9 | Not affected | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/elasticsearch-operator-bundle | Not affected | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/elasticsearch-proxy-rhel9 | Not affected | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/elasticsearch-rhel9-operator | Not affected | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/kibana6-rhel8 | Not affected | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/logging-curator5-rhel9 | Not affected | ||
| Red Hat Developer Hub | rhdh/rhdh-hub-rhel9 | Not affected | ||
| Red Hat OpenShift Dev Spaces | devspaces/code-rhel9 | Not affected | ||
| Red Hat OpenShift Dev Spaces | devspaces/code-sshd-rhel9 | Not affected | ||
| Red Hat OpenShift Dev Spaces | devspaces/openvsx-rhel9 | Affected |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
Versions of the package markdown-it from 13.0.0 and before 14.1.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the use of the regex /\*+$/ in the linkify function. An attacker can supply a long sequence of * characters followed by a non-matching character, which triggers excessive backtracking and may lead to a denial-of-service condition.
Versions of the package markdown-it from 13.0.0 and before 14.1.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the use of the regex /\*+$/ in the linkify function. An attacker can supply a long sequence of * characters followed by a non-matching character, which triggers excessive backtracking and may lead to a denial-of-service condition.
Versions of the package markdown-it from 13.0.0 and before 14.1.1 are ...
markdown-it is has a Regular Expression Denial of Service (ReDoS)
EPSS
7.5 High
CVSS3