search

ls1intum / Artemis

Artemis - Interactive Learning with Automated Feedback
https://docs.artemis.cit.tum.de
MIT License
518 stars 295 forks source link

showdown-2.1.0.tgz: 1 vulnerabilities (highest severity is: 5.3) #9333

Closed mend-bolt-for-github[bot] closed 1 month ago

mend-bolt-for-github[bot] commented 2 months ago
Vulnerable Library - showdown-2.1.0.tgz

A Markdown to HTML converter written in Javascript

Library home page: https://registry.npmjs.org/showdown/-/showdown-2.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Found in HEAD commit: 128fd449925b98c946919a9dbb251a56811b22ad

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (showdown version) Remediation Possible**
CVE-2024-1899 Medium 5.3 showdown-2.1.0.tgz Direct N/A

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-1899 ### Vulnerable Library - showdown-2.1.0.tgz

A Markdown to HTML converter written in Javascript

Library home page: https://registry.npmjs.org/showdown/-/showdown-2.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy: - :x: **showdown-2.1.0.tgz** (Vulnerable Library)

Found in HEAD commit: 128fd449925b98c946919a9dbb251a56811b22ad

Found in base branch: develop

### Vulnerability Details

An issue in the anchors subparser of Showdownjs versions <= 2.1.0 could allow a remote attacker to cause denial of service conditions.

Publish Date: 2024-02-26

URL: CVE-2024-1899

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
Strohgelaender commented 2 months ago

Seems like showdown is unmaintained and we should consider replacing it e.g. with https://github.com/markdown-it/markdown-it

krusche commented 2 months ago

Would be a good idea to replace it with a maintained library. We have custom extension showdown-highlight and showdown-katex and would nee to make sure something similar is also available / possible in https://github.com/markdown-it/markdown-it

krusche commented 2 months ago

https://www.npmjs.com/package/markdown-it-highlightjs and https://www.npmjs.com/package/markdown-it-latex should provide the required support to replace existing extensions.

The current usage of showdown is limited, so replacing it with markdown-it should not be a huge effort for someone with experience in this area

image
b-fein commented 2 months ago

Replacing it might also solve the currently oldest open issue: #768.

(But potentially break existing maths formulas in problem descriptions.)

Strohgelaender commented 2 months ago

markdown-it-latex also seems unmainted, here https://github.com/Mathpix/mathpix-markdown-it seems like the better option.