CVE-2023-22485 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2023-22485

CVE-2023-22485

January 24, 2023

cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior 0.29.0.gfm.7, a crafted markdown document can trigger an out-of-bounds read in the "validate_protocol" function. We believe this bug is harmless in practice, because the out-of-bounds read accesses "malloc" metadata without causing any visible damage.This vulnerability has been patched in 0.29.0.gfm.7.

Affected Packages

commonmark (R):

Affected version(s) >=1.0 <1.9.2

Fix Suggestion:

Update to version 1.9.2

Related Resources (4)

https://security-tracker.debian.org/tracker/CVE-2023-22485

https://nvd.nist.gov/vuln/detail/CVE-2023-22485

https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/22xxx/CVE-2023-22485.json

https://github.com/github/cmark-gfm/security/advisories/GHSA-c944-cv5f-hpvr

Do you need more information?

CVSS v4

Base Score:

6.9

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

NONE

User Interaction

NONE

Vulnerable System Confidentiality

LOW

Vulnerable System Integrity

NONE

Vulnerable System Availability

NONE

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

NONE

Availability

NONE

Weakness Type (CWE)

Out-of-bounds Read

CWE-125

XML Injection (aka Blind XPath Injection)

CWE-91

EPSS

Base Score:

0.07

Products

Solutions

Resources

Company

Compare

Developer Tools