*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
The package `github.com/gomarkdown/markdown` is a Go library for parsing Markdown text and rendering as HTML. Prior to pseudoversion `v0.0.0-20240729232818-a2a9c4f`, which corresponds with commit `a2a9c4f76ef5a5c32108e36f7c47f8d310322252`, there was a logical problem in the paragraph function of the parser/block.go file, which allowed a remote attacker to cause a denial of service (DoS) condition by providing a tailor-made input that caused an infinite loop, causing the program to hang and consume resources indefinitely. Submit `a2a9c4f76ef5a5c32108e36f7c47f8d310322252` contains fixes to this problem.
Path to dependency file: /cliv2/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/github.com/gomarkdown/markdown/@v/v0.0.0-20240419095408-642f0ee99ae2.mod
Found in HEAD commit: 7e83e87477e0886cad26f767efdb9ffd90d9fbfe
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-44337
### Vulnerable Library - github.com/gomarkdown/markdown-v0.0.0-20240419095408-642f0ee99ae2markdown parser and HTML renderer for Go
Library home page: https://proxy.golang.org/github.com/gomarkdown/markdown/@v/v0.0.0-20240419095408-642f0ee99ae2.zip
Path to dependency file: /cliv2/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/github.com/gomarkdown/markdown/@v/v0.0.0-20240419095408-642f0ee99ae2.mod
Dependency Hierarchy: - github.com/snyk/snyk-ls-v0.0.0-20240507082100-cc93dfb3c69e (Root Library) - :x: **github.com/gomarkdown/markdown-v0.0.0-20240419095408-642f0ee99ae2** (Vulnerable Library)
Found in HEAD commit: 7e83e87477e0886cad26f767efdb9ffd90d9fbfe
Found in base branch: main
### Vulnerability DetailsThe package `github.com/gomarkdown/markdown` is a Go library for parsing Markdown text and rendering as HTML. Prior to pseudoversion `v0.0.0-20240729232818-a2a9c4f`, which corresponds with commit `a2a9c4f76ef5a5c32108e36f7c47f8d310322252`, there was a logical problem in the paragraph function of the parser/block.go file, which allowed a remote attacker to cause a denial of service (DoS) condition by providing a tailor-made input that caused an infinite loop, causing the program to hang and consume resources indefinitely. Submit `a2a9c4f76ef5a5c32108e36f7c47f8d310322252` contains fixes to this problem.
Publish Date: 2024-10-15
URL: CVE-2024-44337
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.0%
### CVSS 3 Score Details (5.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-44337
Release Date: 2024-10-15
Fix Resolution: github.com/gomarkdown/markdown-a2a9c4f76ef5a5c32108e36f7c47f8d310322252