SB2023012405 - Multiple vulnerabilities in cmark-gfm

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Inefficient Algorithmic Complexity (CVE-ID: CVE-2023-22486)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a polynomial time complexity issue in cmark-gfm in handle_close_bracket. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

2) Inefficient Algorithmic Complexity (CVE-ID: CVE-2023-22484)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a polynomial time complexity issue in cmark-gfm may in handle_pointy_brace. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

3) Inefficient Algorithmic Complexity (CVE-ID: CVE-2023-22483)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to several polynomial time complexity issues. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

4) Out-of-bounds read (CVE-ID: CVE-2023-22485)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in validate_protocol function. A remote attacker can trigger out-of-bounds read error and read contents of memory on the system.

Remediation

Install update from vendor's website.

References

• https://github.com/github/cmark-gfm/security/advisories/GHSA-r572-jvj2-3m8p
• https://github.com/github/cmark-gfm/security/advisories/GHSA-24f7-9frr-5h2r
• https://github.com/github/cmark-gfm/security/advisories/GHSA-29g3-96g3-jg6c
• https://github.com/github/cmark-gfm/security/advisories/GHSA-c944-cv5f-hpvr