CVE-2023-22485

cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior 0.29.0.gfm.7, a crafted markdown document can trigger an out-of-bounds read in the `validate_protocol` function. We believe this bug is harmless in practice, because the out-of-bounds read accesses `malloc` metadata without causing any visible damage.This vulnerability has been patched in 0.29.0.gfm.7.
References
Configurations

Configuration 1 (hide)

cpe:2.3:a:github:cmark-gfm:*:*:*:*:*:*:*:*

History

02 Feb 2023, 14:11

Type Values Removed Values Added
References (MISC) https://github.com/github/cmark-gfm/security/advisories/GHSA-c944-cv5f-hpvr - (MISC) https://github.com/github/cmark-gfm/security/advisories/GHSA-c944-cv5f-hpvr - Exploit, Third Party Advisory
CWE CWE-125 CWE-91
CPE cpe:2.3:a:github:cmark-gfm:*:*:*:*:*:*:*:*
First Time Github cmark-gfm
Github
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 5.3

24 Jan 2023, 01:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-01-24 01:15

Updated : 2023-12-10 14:48


NVD link : CVE-2023-22485

Mitre link : CVE-2023-22485

CVE.ORG link : CVE-2023-22485


JSON object : View

Products Affected

github

  • cmark-gfm
CWE
CWE-91

XML Injection (aka Blind XPath Injection)

CWE-125

Out-of-bounds Read