CVE-2020-5238

The table extension in GitHub Flavored Markdown before version 0.29.0.gfm.1 takes O(n * n) time to parse certain inputs. An attacker could craft a markdown table which would take an unreasonably long time to process, causing a denial of service. This issue does not affect the upstream cmark project. The issue has been fixed in version 0.29.0.gfm.1.

References

Affected packages

Git / github.com/github/cmark-gfm

Affected ranges

Type

GIT

Repo

https://github.com/github/cmark-gfm

Events

Introduced

Fixed

0f98e8abfb65dd7b2a2ae03e46b182b5124e0e34

Fixed

85d895289c5ab67f988ca659493a64abb5fec7b4

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.29.0.gfm.1"
        }
    ]
}

Affected versions

0.*

0.27.1.gfm.2

0.27.1.gfm.3

0.27.1.gfm.4

0.28.0.gfm.10

0.28.0.gfm.11

0.28.0.gfm.5

0.28.0.gfm.6

0.28.0.gfm.7

0.28.0.gfm.8

0.28.0.gfm.9

0.28.3.gfm.12

0.28.3.gfm.13

0.28.3.gfm.14

0.28.3.gfm.15

0.28.3.gfm.16

0.28.3.gfm.17

0.28.3.gfm.18

0.28.3.gfm.19

0.28.3.gfm.20

0.29.0.gfm.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-5238.json"

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "31"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "32"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "33"
            }
        ]
    }
]