CVE-2022-24724 Integer overflow in table parsing extension leads to heap memory corruption

2022-03-0319:35:09

CWE-190

GitHub_M

www.cve.org

cve-2022-24724

cmark-gfm

table parsing

heap memory corruption

information leak

arbitrary code execution

remote code execution

vulnerability

patch

workaround

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

Confidence

High

EPSS

0.065

Percentile

93.7%

JSON

cmark-gfm is GitHub’s extended version of the C reference implementation of CommonMark. Prior to versions 0.29.0.gfm.3 and 0.28.3.gfm.21, an integer overflow in cmark-gfm’s table row parsing table.c:row_from_string may lead to heap memory corruption when parsing tables who’s marker rows contain more than UINT16_MAX columns. The impact of this heap corruption ranges from Information Leak to Arbitrary Code Execution depending on how and where cmark-gfm is used. If cmark-gfm is used for rendering remote user controlled markdown, this vulnerability may lead to Remote Code Execution (RCE) in applications employing affected versions of the cmark-gfm library. This vulnerability has been patched in the following cmark-gfm versions 0.29.0.gfm.3 and 0.28.3.gfm.21. A workaround is available. The vulnerability exists in the table markdown extensions of cmark-gfm. Disabling the table extension will prevent this vulnerability from being triggered.

CNA Affected

[
  {
    "product": "cmark-gfm",
    "vendor": "github",
    "versions": [
      {
        "status": "affected",
        "version": "< 0.28.3.gfm.21"
      },
      {
        "status": "affected",
        "version": ">= 0.29.0.gfm.0, < 0.29.0.gfm.3"
      }
    ]
  }
]