{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-24824", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-01-30T14:43:33.705Z", "datePublished": "2023-03-31T22:01:18.220Z", "dateUpdated": "2025-02-11T17:19:40.510Z"}, "containers": {"cna": {"title": "Quadratic complexity may lead to a denial of service in cmark-gfm", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-407", "lang": "en", "description": "CWE-407: Inefficient Algorithmic Complexity", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/github/cmark-gfm/security/advisories/GHSA-66g8-4hjf-77xh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/github/cmark-gfm/security/advisories/GHSA-66g8-4hjf-77xh"}, {"name": "https://github.com/github/cmark-gfm/commit/2300c1bd2c8226108885bf019655c4159cf26b59", "tags": ["x_refsource_MISC"], "url": "https://github.com/github/cmark-gfm/commit/2300c1bd2c8226108885bf019655c4159cf26b59"}], "affected": [{"vendor": "github", "product": "cmark-gfm", "versions": [{"version": "< 0.29.0.gfm.10", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-03-31T22:01:18.220Z"}, "descriptions": [{"lang": "en", "value": "cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. A polynomial time complexity issue in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. This CVE covers quadratic complexity issues when parsing text which leads with either large numbers of `>` or `-` characters. This issue has been addressed in version 0.29.0.gfm.10. Users are advised to upgrade. Users unable to upgrade should validate that their input comes from trusted sources."}], "source": {"advisory": "GHSA-66g8-4hjf-77xh", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T11:03:19.254Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/github/cmark-gfm/security/advisories/GHSA-66g8-4hjf-77xh", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/github/cmark-gfm/security/advisories/GHSA-66g8-4hjf-77xh"}, {"name": "https://github.com/github/cmark-gfm/commit/2300c1bd2c8226108885bf019655c4159cf26b59", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/github/cmark-gfm/commit/2300c1bd2c8226108885bf019655c4159cf26b59"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-02-11T17:19:34.977599Z", "id": "CVE-2023-24824", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-11T17:19:40.510Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/github/cmark-gfm/security/advisories/GHSA-66g8-4hjf-77xh", "name": "https://github.com/github/cmark-gfm/security/advisories/GHSA-66g8-4hjf-77xh", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/github/cmark-gfm/commit/2300c1bd2c8226108885bf019655c4159cf26b59", "name": "https://github.com/github/cmark-gfm/commit/2300c1bd2c8226108885bf019655c4159cf26b59", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T11:03:19.254Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-24824", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-02-11T17:19:34.977599Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-11T17:19:16.221Z"}}], "cna": {"title": "Quadratic complexity may lead to a denial of service in cmark-gfm", "source": {"advisory": "GHSA-66g8-4hjf-77xh", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "github", "product": "cmark-gfm", "versions": [{"status": "affected", "version": "< 0.29.0.gfm.10"}]}], "references": [{"url": "https://github.com/github/cmark-gfm/security/advisories/GHSA-66g8-4hjf-77xh", "name": "https://github.com/github/cmark-gfm/security/advisories/GHSA-66g8-4hjf-77xh", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/github/cmark-gfm/commit/2300c1bd2c8226108885bf019655c4159cf26b59", "name": "https://github.com/github/cmark-gfm/commit/2300c1bd2c8226108885bf019655c4159cf26b59", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. A polynomial time complexity issue in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. This CVE covers quadratic complexity issues when parsing text which leads with either large numbers of `>` or `-` characters. This issue has been addressed in version 0.29.0.gfm.10. Users are advised to upgrade. Users unable to upgrade should validate that their input comes from trusted sources."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-407", "description": "CWE-407: Inefficient Algorithmic Complexity"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-03-31T22:01:18.220Z"}}}, "cveMetadata": {"cveId": "CVE-2023-24824", "state": "PUBLISHED", "dateUpdated": "2025-02-11T17:19:40.510Z", "dateReserved": "2023-01-30T14:43:33.705Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2023-03-31T22:01:18.220Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:github:cmark-gfm:*:*:*:*:*:*:*:*", "matchCriteriaId": "D388F6C5-34DD-4C62-9D86-0E10F97FC4EB", "versionEndExcluding": "0.29.0.gfm.10.", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. A polynomial time complexity issue in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. This CVE covers quadratic complexity issues when parsing text which leads with either large numbers of `>` or `-` characters. This issue has been addressed in version 0.29.0.gfm.10. Users are advised to upgrade. Users unable to upgrade should validate that their input comes from trusted sources."}], "id": "CVE-2023-24824", "lastModified": "2024-11-21T07:48:28.123", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-03-31T23:15:07.153", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/github/cmark-gfm/commit/2300c1bd2c8226108885bf019655c4159cf26b59"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/github/cmark-gfm/security/advisories/GHSA-66g8-4hjf-77xh"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/github/cmark-gfm/commit/2300c1bd2c8226108885bf019655c4159cf26b59"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/github/cmark-gfm/security/advisories/GHSA-66g8-4hjf-77xh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-407"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2025:8427", "cpe": "cpe:/a:redhat:enterprise_linux:8::crb", "impact": "moderate", "package": "pandoc-0:2.0.6-7.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2025-06-03T00:00:00Z"}], "bugzilla": {"description": "cmark-gfm: Quadratic complexity bugs may lead to a denial of service", "id": "2210172", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2210172"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "(CWE-400|CWE-407)", "details": ["cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. A polynomial time complexity issue in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. This CVE covers quadratic complexity issues when parsing text which leads with either large numbers of `>` or `-` characters. This issue has been addressed in version 0.29.0.gfm.10. Users are advised to upgrade. Users unable to upgrade should validate that their input comes from trusted sources.", "A flaw was found in CommonMarker. A polynomial time complexity issue in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service."], "mitigation": {"lang": "en:us", "value": "No mitigation is currently available that meets Red Hat Product Security\u2019s standards for usability, deployment, applicability, or stability."}, "name": "CVE-2023-24824", "package_state": [{"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Will not fix", "package_name": "commonmarker", "product_name": "Red Hat 3scale API Management Platform 2"}], "public_date": "2023-04-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-24824\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-24824\nhttps://github.com/github/cmark-gfm/security/advisories/GHSA-66g8-4hjf-77xh"], "statement": "This vulnerability can cause a potential denial of service (DoS) issue, but it can be classified as Moderate rather than Important due to a few key factors. First, the vulnerability specifically targets input with large numbers of specific characters (`>` or `-`), which means it is highly context-dependent and unlikely to be triggered by typical use cases. In practice, the majority of markdown documents are unlikely to contain these patterns in excessive quantities. Furthermore, the issue requires input from untrusted or malicious sources to be exploited, as normal, well-formed markdown documents will not trigger the problem. \nWhile the quadratic time complexity can lead to significant resource exhaustion under certain conditions, it does not inherently enable arbitrary code execution or direct access to sensitive system resources.", "threat_severity": "Moderate"}