{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-24824", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-01-30T14:43:33.705Z", "datePublished": "2023-03-31T22:01:18.220Z", "dateUpdated": "2025-02-11T17:19:40.510Z"}, "containers": {"cna": {"title": "Quadratic complexity may lead to a denial of service in cmark-gfm", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-407", "lang": "en", "description": "CWE-407: Inefficient Algorithmic Complexity", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/github/cmark-gfm/security/advisories/GHSA-66g8-4hjf-77xh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/github/cmark-gfm/security/advisories/GHSA-66g8-4hjf-77xh"}, {"name": "https://github.com/github/cmark-gfm/commit/2300c1bd2c8226108885bf019655c4159cf26b59", "tags": ["x_refsource_MISC"], "url": "https://github.com/github/cmark-gfm/commit/2300c1bd2c8226108885bf019655c4159cf26b59"}], "affected": [{"vendor": "github", "product": "cmark-gfm", "versions": [{"version": "< 0.29.0.gfm.10", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-03-31T22:01:18.220Z"}, "descriptions": [{"lang": "en", "value": "cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. A polynomial time complexity issue in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. This CVE covers quadratic complexity issues when parsing text which leads with either large numbers of `>` or `-` characters. This issue has been addressed in version 0.29.0.gfm.10. Users are advised to upgrade. Users unable to upgrade should validate that their input comes from trusted sources."}], "source": {"advisory": "GHSA-66g8-4hjf-77xh", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T11:03:19.254Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/github/cmark-gfm/security/advisories/GHSA-66g8-4hjf-77xh", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/github/cmark-gfm/security/advisories/GHSA-66g8-4hjf-77xh"}, {"name": "https://github.com/github/cmark-gfm/commit/2300c1bd2c8226108885bf019655c4159cf26b59", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/github/cmark-gfm/commit/2300c1bd2c8226108885bf019655c4159cf26b59"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-02-11T17:19:34.977599Z", "id": "CVE-2023-24824", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-11T17:19:40.510Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/github/cmark-gfm/security/advisories/GHSA-66g8-4hjf-77xh", "name": "https://github.com/github/cmark-gfm/security/advisories/GHSA-66g8-4hjf-77xh", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/github/cmark-gfm/commit/2300c1bd2c8226108885bf019655c4159cf26b59", "name": "https://github.com/github/cmark-gfm/commit/2300c1bd2c8226108885bf019655c4159cf26b59", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T11:03:19.254Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-24824", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-02-11T17:19:34.977599Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-11T17:19:16.221Z"}}], "cna": {"title": "Quadratic complexity may lead to a denial of service in cmark-gfm", "source": {"advisory": "GHSA-66g8-4hjf-77xh", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "github", "product": "cmark-gfm", "versions": [{"status": "affected", "version": "< 0.29.0.gfm.10"}]}], "references": [{"url": "https://github.com/github/cmark-gfm/security/advisories/GHSA-66g8-4hjf-77xh", "name": "https://github.com/github/cmark-gfm/security/advisories/GHSA-66g8-4hjf-77xh", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/github/cmark-gfm/commit/2300c1bd2c8226108885bf019655c4159cf26b59", "name": "https://github.com/github/cmark-gfm/commit/2300c1bd2c8226108885bf019655c4159cf26b59", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. A polynomial time complexity issue in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. This CVE covers quadratic complexity issues when parsing text which leads with either large numbers of `>` or `-` characters. This issue has been addressed in version 0.29.0.gfm.10. Users are advised to upgrade. Users unable to upgrade should validate that their input comes from trusted sources."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-407", "description": "CWE-407: Inefficient Algorithmic Complexity"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-03-31T22:01:18.220Z"}}}, "cveMetadata": {"cveId": "CVE-2023-24824", "state": "PUBLISHED", "dateUpdated": "2025-02-11T17:19:40.510Z", "dateReserved": "2023-01-30T14:43:33.705Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2023-03-31T22:01:18.220Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:github:cmark-gfm:*:*:*:*:*:*:*:*", "matchCriteriaId": "D388F6C5-34DD-4C62-9D86-0E10F97FC4EB", "versionEndExcluding": "0.29.0.gfm.10.", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. A polynomial time complexity issue in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. This CVE covers quadratic complexity issues when parsing text which leads with either large numbers of `>` or `-` characters. This issue has been addressed in version 0.29.0.gfm.10. Users are advised to upgrade. Users unable to upgrade should validate that their input comes from trusted sources."}], "id": "CVE-2023-24824", "lastModified": "2024-11-21T07:48:28.123", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-03-31T23:15:07.153", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/github/cmark-gfm/commit/2300c1bd2c8226108885bf019655c4159cf26b59"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/github/cmark-gfm/security/advisories/GHSA-66g8-4hjf-77xh"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/github/cmark-gfm/commit/2300c1bd2c8226108885bf019655c4159cf26b59"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/github/cmark-gfm/security/advisories/GHSA-66g8-4hjf-77xh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-407"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "cmark-gfm: Quadratic complexity bugs may lead to a denial of service", "id": "2210172", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2210172"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "(CWE-400|CWE-407)", "details": ["cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. A polynomial time complexity issue in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. This CVE covers quadratic complexity issues when parsing text which leads with either large numbers of `>` or `-` characters. This issue has been addressed in version 0.29.0.gfm.10. Users are advised to upgrade. Users unable to upgrade should validate that their input comes from trusted sources.", "A flaw was found in CommonMarker. A polynomial time complexity issue in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service."], "name": "CVE-2023-24824", "package_state": [{"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Will not fix", "package_name": "commonmarker", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "impact": "moderate", "package_name": "pandoc", "product_name": "Red Hat Enterprise Linux 8"}], "public_date": "2023-04-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-24824\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-24824\nhttps://github.com/github/cmark-gfm/security/advisories/GHSA-66g8-4hjf-77xh"], "threat_severity": "Moderate"}