Incorrect Regular Expression in marked

#VU76062 Incorrect Regular Expression in marked

Published: 2023-05-12

Vulnerability identifier: #VU76062

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21681

CWE-ID: CWE-185

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
marked
Other software / Other software solutions

Vendor:

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to regular expression `inline.reflinkSearch` may cause catastrophic backtracking against some strings. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

External links
http://github.com/markedjs/marked/security/advisories/GHSA-5v2h-r2cx-5xgj
http://github.com/markedjs/marked/commit/8f806573a3f6c6b7a39b8cdb66ab5ebb8d55a5f5
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Storage Ceph

Multiple vulnerabilities in IBM Storage Defender - Data Protect

Multiple vulnerabilities in IBM Maximo Manage application in IBM Maximo Application Suite

Multiple vulnerabilities in IBM Maximo Asset Management

Multiple vulnerabilities in Red Hat Ceph Storage

Multiple vulnerabilities in IBM Cognos Analytics

Incorrect Regular Expression in IBM Cloud Automation Manager