{ "CVE_data_meta": { "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-24724", "STATE": "PUBLIC", "TITLE": "Integer overflow in table parsing extension leads to heap memory corruption" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "cmark-gfm", "version": { "version_data": [ { "version_value": "< 0.28.3.gfm.21" }, { "version_value": ">= 0.29.0.gfm.0, < 0.29.0.gfm.3" } ] } } ] }, "vendor_name": "github" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "cmark-gfm is GitHub's extended version of the C reference implementation of CommonMark. Prior to versions 0.29.0.gfm.3 and 0.28.3.gfm.21, an integer overflow in cmark-gfm's table row parsing `table.c:row_from_string` may lead to heap memory corruption when parsing tables who's marker rows contain more than UINT16_MAX columns. The impact of this heap corruption ranges from Information Leak to Arbitrary Code Execution depending on how and where `cmark-gfm` is used. If `cmark-gfm` is used for rendering remote user controlled markdown, this vulnerability may lead to Remote Code Execution (RCE) in applications employing affected versions of the `cmark-gfm` library. This vulnerability has been patched in the following cmark-gfm versions 0.29.0.gfm.3 and 0.28.3.gfm.21. A workaround is available. The vulnerability exists in the table markdown extensions of cmark-gfm. Disabling the table extension will prevent this vulnerability from being triggered." } ] }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-190: Integer Overflow or Wraparound" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/github/cmark-gfm/security/advisories/GHSA-mc3g-88wq-6f4x", "refsource": "CONFIRM", "url": "https://github.com/github/cmark-gfm/security/advisories/GHSA-mc3g-88wq-6f4x" }, { "refsource": "FEDORA", "name": "FEDORA-2022-557ad15f2e", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z55K6VNVKO2G5SNKRCQ2KDG5SKTX5PVV/" }, { "refsource": "FEDORA", "name": "FEDORA-2022-725edc74c0", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TJBFIJEHJZEEDG6MO4MQHZYKUXELH77O/" }, { "refsource": "FEDORA", "name": "FEDORA-2022-bc43bafcfd", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F7V3HAM5H6YFJG2QFEXACZR3XVWFTXTC/" }, { "refsource": "FEDORA", "name": "FEDORA-2022-c42d02e5e5", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5CYUU662VO6CCXQKVZVOHXX3RGIF2DLQ/" }, { "refsource": "FEDORA", "name": "FEDORA-2022-79b9a59e3b", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RSKUOJ2VAYGTJXPDE2RRPMNLVVMKCI77/" }, { "refsource": "FEDORA", "name": "FEDORA-2022-1f981071eb", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KH4UQA6VWVZU5EW3HNEAB7D7BTCNJSJ2/" }, { "refsource": "MISC", "name": "http://packetstormsecurity.com/files/166599/cmark-gfm-Integer-overflow.html", "url": "http://packetstormsecurity.com/files/166599/cmark-gfm-Integer-overflow.html" } ] }, "source": { "advisory": "GHSA-mc3g-88wq-6f4x", "discovery": "UNKNOWN" } }