RSEC-2023-6

See a problem?

Import Source

https://github.com/RConsortium/r-advisory-database/blob/main/vulns/commonmark/RSEC-2023-6.yaml

JSON Data

https://api.osv.dev/v1/vulns/RSEC-2023-6

Published

2023-10-06T05:00:00.600Z

Modified

2023-10-20T07:27:00.600Z

Summary

Denial of Service (DoS) vulnerability

Details

The commonmark package, specifically in its dependency on GitHub Flavored Markdown before version 0.29.0.gfm.1, has a vulnerability related to time complexity. Parsing certain crafted markdown tables can take O(n * n) time, leading to potential Denial of Service attacks. This issue does not affect the upstream cmark project and has been fixed in version 0.29.0.gfm.1.

References

https://security-tracker.debian.org/tracker/CVE-2020-5238
https://github.com/r-lib/commonmark/issues/13
https://github.com/r-lib/commonmark/pull/18

Affected packages

CRAN / commonmark

Package

Name: commonmark

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0.2

Fixed

1.8

Affected versions

0.*

0.2

0.4

0.5

0.6

0.7

0.8

0.9

1.*

1.0

1.1

1.2

1.4

1.5

1.6

1.7