Closed mend-bolt-for-github[bot] closed 2 years ago
:heavy_check_mark: This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.
CVE-2022-24724 - High Severity Vulnerability
Vulnerable Library - commonmarkerv0.17.13
Ruby wrapper for libcmark (CommonMark parser)
Library home page: https://github.com/gjtorikian/commonmarker.git
Found in base branch: master
Vulnerable Source Files (1)
/_vendor/bundle/ruby/2.5.0/gems/commonmarker-0.17.13/ext/commonmarker/table.c
Vulnerability Details
cmark-gfm is GitHub's extended version of the C reference implementation of CommonMark. Prior to versions 0.29.0.gfm.3 and 0.28.3.gfm.21, an integer overflow in cmark-gfm's table row parsing `table.c:row_from_string` may lead to heap memory corruption when parsing tables who's marker rows contain more than UINT16_MAX columns. The impact of this heap corruption ranges from Information Leak to Arbitrary Code Execution depending on how and where `cmark-gfm` is used. If `cmark-gfm` is used for rendering remote user controlled markdown, this vulnerability may lead to Remote Code Execution (RCE) in applications employing affected versions of the `cmark-gfm` library. This vulnerability has been patched in the following cmark-gfm versions 0.29.0.gfm.3 and 0.28.3.gfm.21. A workaround is available. The vulnerability exists in the table markdown extensions of cmark-gfm. Disabling the table extension will prevent this vulnerability from being triggered.
Publish Date: 2022-03-03
URL: CVE-2022-24724
CVSS 3 Score Details (8.8)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://github.com/github/cmark-gfm/security/advisories/GHSA-mc3g-88wq-6f4x
Release Date: 2022-03-03
Fix Resolution: 0.28.3.gfm.21,0.29.0.gfm.3
Step up your Open Source Security Game with WhiteSource here