UBUNTU-CVE-2023-42821

Source
https://ubuntu.com/security/CVE-2023-42821
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-42821.json
JSON Data
https://api.test.osv.dev/v1/vulns/UBUNTU-CVE-2023-42821
Related
Published
2023-09-22T17:15:00Z
Modified
2024-10-15T14:11:46Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

The package github.com/gomarkdown/markdown is a Go library for parsing Markdown text and rendering as HTML. Prior to pseudoversion 0.0.0-20230922105210-14b16010c2ee, which corresponds with commit 14b16010c2ee7ff33a940a541d993bd043a88940, parsing malformed markdown input with parser that uses parser.Mmark extension could result in out-of-bounds read vulnerability. To exploit the vulnerability, parser needs to have parser.Mmark extension set. The panic occurs inside the citation.go file on the line 69 when the parser tries to access the element past its length. This can result in a denial of service. Commit 14b16010c2ee7ff33a940a541d993bd043a88940/pseudoversion 0.0.0-20230922105210-14b16010c2ee contains a patch for this issue.

References

Affected packages

Ubuntu:24.10 / golang-github-gomarkdown-markdown

Package

Name
golang-github-gomarkdown-markdown
Purl
pkg:deb/ubuntu/golang-github-gomarkdown-markdown?arch=src?distro=oracular

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.0~git20231115.a660076-1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:24.04:LTS / golang-github-gomarkdown-markdown

Package

Name
golang-github-gomarkdown-markdown
Purl
pkg:deb/ubuntu/golang-github-gomarkdown-markdown?arch=src?distro=noble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.0~git20220731.dcdaee8-2
0.0~git20231115.a660076-1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}