CVE-2023-42821
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
The package github.com/gomarkdown/markdown is a Go library for parsing Markdown text and rendering as HTML. Prior to pseudoversion 0.0.0-20230922105210-14b16010c2ee, which corresponds with commit 14b16010c2ee7ff33a940a541d993bd043a88940, parsing malformed markdown input with parser that uses parser.Mmark extension could result in out-of-bounds read vulnerability. To exploit the vulnerability, parser needs to have parser.Mmark extension set. The panic occurs inside the citation.go file on the line 69 when the parser tries to access the element past its length. This can result in a denial of service. Commit 14b16010c2ee7ff33a940a541d993bd043a88940/pseudoversion 0.0.0-20230922105210-14b16010c2ee contains a patch for this issue.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| gomarkdown | markdown | < 0.0.0-20230922105210-14b16010c2ee | affected |
Weaknesses
- CWE-125: CWE-125: Out-of-bounds Read
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/gomarkdown/markdown/security/advisories/GHSA-m9xq-6h2j-65r2
- https://github.com/gomarkdown/markdown/commit/14b16010c2ee7ff33a940a541d993bd043a88940
- https://github.com/gomarkdown/markdown/blob/7478c230c7cd3e7328803d89abe591d0b61c41e4/parser/citation.go#L69
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: yes
- Technical Impact: partial
References
- https://github.com/gomarkdown/markdown/security/advisories/GHSA-m9xq-6h2j-65r2
- https://github.com/gomarkdown/markdown/commit/14b16010c2ee7ff33a940a541d993bd043a88940
- https://github.com/gomarkdown/markdown/blob/7478c230c7cd3e7328803d89abe591d0b61c41e4/parser/citation.go#L69
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.