CVE-2023-42821: Out-of-bounds Read
(updated )
The package github.com/gomarkdown/markdown is a Go library for parsing Markdown text and rendering as HTML. Prior to pseudoversion 0.0.0-20230922105210-14b16010c2ee, which corresponds with commit 14b16010c2ee7ff33a940a541d993bd043a88940, parsing malformed markdown input with parser that uses parser.Mmark extension could result in out-of-bounds read vulnerability. To exploit the vulnerability, parser needs to have parser.Mmark extension set. The panic occurs inside the citation.go file on the line 69 when the parser tries to access the element past its length. This can result in a denial of service. Commit 14b16010c2ee7ff33a940a541d993bd043a88940/pseudoversion 0.0.0-20230922105210-14b16010c2ee contains a patch for this issue.
References
- github.com/advisories/GHSA-m9xq-6h2j-65r2
- github.com/gomarkdown/markdown/blob/7478c230c7cd3e7328803d89abe591d0b61c41e4/parser/citation.go
- github.com/gomarkdown/markdown/commit/14b16010c2ee7ff33a940a541d993bd043a88940
- github.com/gomarkdown/markdown/security/advisories/GHSA-m9xq-6h2j-65r2
- nvd.nist.gov/vuln/detail/CVE-2023-42821
Detect and mitigate CVE-2023-42821 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →