Lucene search

GitHub_MCVE-2022-21681

HistoryJan 14, 2022 - 5:15 p.m.

CVE-2022-21681

2022-01-1417:15:13

CWE-1333

CWE-400

GitHub_M

web.nvd.nist.gov

100

marked

markdown parser

cve-2022-21681

denial of service

security

vulnerability

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

Confidence

High

EPSS

0.002

Percentile

60.8%

JSON

Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings and lead to a denial of service (DoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

Affected configurations

Nvd

Vulners

Node

marked_projectmarkedRange<4.0.10node.js

Node

fedoraprojectfedoraMatch36

VendorProductVersionCPE
marked_projectmarked*cpe:2.3:a:marked_project:marked:*:*:*:*:*:node.js:*:*
fedoraprojectfedora36cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
marked_project	marked	*	cpe:2.3:a:marked_project:marked::::::node.js::*
fedoraproject	fedora	36	cpe:2.3:o:fedoraproject:fedora:36:::::::*

CNA Affected

[
  {
    "vendor": "markedjs",
    "product": "marked",
    "versions": [
      {
        "version": "< 4.0.10",
        "status": "affected"
      }
    ]
  }
]