CVE-2020-5238

Denial of service in table parsing in cmark-gfm

Description

The table extension in GitHub Flavored Markdown before version 0.29.0.gfm.1 takes O(n * n) time to parse certain inputs. An attacker could craft a markdown table which would take an unreasonably long time to process, causing a denial of service. This issue does not affect the upstream cmark project. The issue has been fixed in version 0.29.0.gfm.1.

References

Link	Tags
https://github.com/github/cmark-gfm/security/advisories/GHSA-7gc6-9qr5-hc85	third party advisory
https://github.com/github/cmark-gfm/commit/85d895289c5ab67f988ca659493a64abb5fec7b4	third party advisory patch
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TCDHBTUFIOYRIS5HAS6PZNBNMB7IOAX3/	vendor advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZGJH2A4VAV54X6NSCNNGSEIGIIY5N2VR/	vendor advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WMQFOQQCWOAMQ4I2XIVCVOXXIJ75HDCW/	vendor advisory

Frequently Asked Questions

What is the severity of CVE-2020-5238?: CVE-2020-5238 has been scored as a medium severity vulnerability.
How to fix CVE-2020-5238?: To fix CVE-2020-5238, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2020-5238 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2020-5238 is being actively exploited. According to its EPSS score, there is a ~1% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2020-5238?: CVE-2020-5238 affects github cmark-gfm.

Description

Category

CWE-20 – Improper Input Validation

References

Frequently Asked Questions