cmark-gfm DOS via Polynomial Time Complexity before 0.29.0.gfm.7
CVE-2023-22484 Published on January 23, 2023
Inefficient Quadratic complexity bug in handle_pointy_brace may lead to a denial of service
cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. Versions prior to 0.29.0.gfm.7 are subject to a polynomial time complexity issue in cmark-gfm that may lead to unbounded resource exhaustion and subsequent denial of service. This vulnerability has been patched in 0.29.0.gfm.7.
Vulnerability Analysis
Weakness Types
What is a Resource Exhaustion Vulnerability?
The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
CVE-2023-22484 has been classified to as a Resource Exhaustion vulnerability or weakness.
Inefficient Algorithmic Complexity
An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.
Products Associated with CVE-2023-22484
stack.watch emails you whenever new vulnerabilities are published in github Cmark Gfm or Canonical Ubuntu Linux. Just hit a watch button to start following.
Affected Versions
github cmark-gfm Version < 0.29.0.gfm.7 is affected by CVE-2023-22484Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.