CVE-2023-42821
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2023-42821
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-42821.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2023-42821
- Aliases
- Related
- Published
- 2023-09-22T17:15:14Z
- Modified
- 2024-09-18T03:25:25.573015Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
The package
github.com/gomarkdown/markdownis a Go library for parsing Markdown text and rendering as HTML. Prior to pseudoversion0.0.0-20230922105210-14b16010c2ee, which corresponds with commit14b16010c2ee7ff33a940a541d993bd043a88940, parsing malformed markdown input with parser that uses parser.Mmark extension could result in out-of-bounds read vulnerability. To exploit the vulnerability, parser needs to haveparser.Mmarkextension set. The panic occurs inside thecitation.gofile on the line 69 when the parser tries to access the element past its length. This can result in a denial of service. Commit14b16010c2ee7ff33a940a541d993bd043a88940/pseudoversion0.0.0-20230922105210-14b16010c2eecontains a patch for this issue. - References
-
- https://github.com/gomarkdown/markdown/security/advisories/GHSA-m9xq-6h2j-65r2
- https://github.com/gomarkdown/markdown/commit/14b16010c2ee7ff33a940a541d993bd043a88940
- https://github.com/gomarkdown/markdown/blob/7478c230c7cd3e7328803d89abe591d0b61c41e4/parser/citation.go#L69
- https://security-tracker.debian.org/tracker/CVE-2023-42821
Affected packages
Debian:12 / golang-github-gomarkdown-markdown
Package
- Name
- golang-github-gomarkdown-markdown
- Purl
- pkg:deb/debian/golang-github-gomarkdown-markdown?arch=source
Debian:13 / golang-github-gomarkdown-markdown
Package
- Name
- golang-github-gomarkdown-markdown
- Purl
- pkg:deb/debian/golang-github-gomarkdown-markdown?arch=source