cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior to 0.29.0.gfm.6 a polynomial time complexity issue in cmark-gfm's autolink extension may lead to unbounded resource exhaustion and subsequent denial of service. Users may verify the patch by running `python3 -c 'print("![l"* 100000 + "\n")' | ./cmark-gfm -e autolink`, which will resource exhaust on unpatched cmark-gfm but render correctly on patched cmark-gfm. This vulnerability has been patched in 0.29.0.gfm.6. Users are advised to upgrade. Users unable to upgrade should disable the use of the autolink extension.
References
Configurations
History
21 Nov 2024, 07:17
Type | Values Removed | Values Added |
---|---|---|
References | () https://en.wikipedia.org/wiki/Time_complexity - Third Party Advisory | |
References | () https://github.com/github/cmark-gfm/commit/9d57d8a23142b316282bdfc954cb0ecda40a8655 - Patch, Third Party Advisory | |
References | () https://github.com/github/cmark-gfm/security/advisories/GHSA-cgh3-p57x-9q7q - Third Party Advisory | |
References | () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIUCZN3PEKUCT2JQYQTYOVIJG2KSD6G7/ - | |
References | () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMGP65NANDVKPDMXMKYO2ZV2H2HZJY4P/ - | |
References | () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEAAAI4OULDYQ2TA3HOXH54PC3DCBFZS/ - | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
07 Nov 2023, 03:50
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
11 Jul 2023, 20:54
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-407 |
Information
Published : 2022-09-15 18:15
Updated : 2024-11-21 07:17
NVD link : CVE-2022-39209
Mitre link : CVE-2022-39209
CVE.ORG link : CVE-2022-39209
JSON object : View
Products Affected
fedoraproject
- fedora
github
- cmark-gfm