Bug 2082705 (CVE-2022-21680)

Summary: CVE-2022-21680 marked: regular expression block.def may lead Denial of Service
Product: [Other] Security Response Reporter: Patrick Del Bello <pdelbell>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adeza, agerstmayr, aileenc, aoconnor, asoldano, bbaranow, bmaxwell, bniver, boliveir, brian.stansberry, cdewolf, chazlett, ctubbsii, danmick, darran.lofthouse, david, dkreling, dosoudil, ego.cordatus, eric.wittmann, fboucher, fedora, fjuma, flucifre, ggaughan, gmalinko, gmeno, go-sig, gparvin, grafana-maint, idm-ds-dev-bugs, i, iweiss, janstey, jkurik, jochrist, josef, jschatte, jwendell, jwon, kkeithle, lgao, loic, mbenjamin, mgoodwin, mhackett, milleruntime, mosmerov, mpitt, msochure, msvehla, nathans, njean, nodejs-sig, nwallace, openstack-sig, orion, pahickey, pantinor, pdelbell, pdrozd, pjindal, pmackay, pskopek, ramkrsna, rareddy, rcernich, rstancel, rsvoboda, smaestri, sostapov, stcannon, steve, sthorger, stuart, tchollingsworth, tom.jenkinson, twalsh, vereddy, willb, yicai, zebob.m
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: markedjs 4.0.10 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in the markedjs package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2083042, 2083043, 2083624, 2090335, 2090339, 2090340, 2090569, 2090570, 2090571, 2090572, 2090573, 2090574, 2090575, 2090576, 2090577, 2090578, 2090579, 2090580, 2090581, 2090582, 2090583, 2090584, 2090585, 2090586, 2090587, 2090588    
Bug Blocks: 2082707    

Description Patrick Del Bello 2022-05-06 20:14:47 UTC
Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression `block.def` may cause catastrophic backtracking against some strings and lead to a regular expression denial of service (ReDoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

https://github.com/markedjs/marked/security/advisories/GHSA-rrrm-qjm4-v8hf
https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0
https://github.com/markedjs/marked/releases/tag/v4.0.10

Comment 4 Sandipan Roy 2022-05-25 14:31:48 UTC
Created grafana tracking bugs for this issue:

Affects: fedora-all [bug 2090335]

Comment 6 Sandipan Roy 2022-05-26 04:58:25 UTC
Created ceph tracking bugs for this issue:

Affects: fedora-all [bug 2090573]


Created gitqlient tracking bugs for this issue:

Affects: epel-all [bug 2090570]
Affects: fedora-all [bug 2090574]


Created golang-github-apache-beam-2 tracking bugs for this issue:

Affects: fedora-all [bug 2090575]


Created golang-github-apache-thrift tracking bugs for this issue:

Affects: fedora-all [bug 2090576]


Created golang-github-hashicorp-consul-api tracking bugs for this issue:

Affects: fedora-all [bug 2090577]


Created golang-github-hashicorp-consul-sdk tracking bugs for this issue:

Affects: fedora-all [bug 2090578]


Created marked tracking bugs for this issue:

Affects: fedora-all [bug 2090569]


Created python-drf-yasg tracking bugs for this issue:

Affects: epel-all [bug 2090571]
Affects: fedora-all [bug 2090579]


Created python-ipyparallel tracking bugs for this issue:

Affects: fedora-all [bug 2090580]


Created thrift tracking bugs for this issue:

Affects: epel-all [bug 2090572]
Affects: fedora-all [bug 2090581]


Created zuul tracking bugs for this issue:

Affects: fedora-all [bug 2090582]

Comment 9 Yi Cai 2022-06-03 19:32:16 UTC
Minimum Marked version is being used since Argo CD v2.3.0 on March 06, 2022 release. Closing this as won't fix.

References:
https://github.com/argoproj/argo-cd/releases/tag/v2.3.0
https://github.com/argoproj/argo-cd/pull/8573/files#diff-3a968206d6de2fecfc5dacd7d94bab7744c9f5d5c999a816164d95cbc135c316R5918

Comment 26 errata-xmlrpc 2023-06-15 15:59:45 UTC
This issue has been addressed in the following products:

  Red Hat Ceph Storage 6.1

Via RHSA-2023:3642 https://access.redhat.com/errata/RHSA-2023:3642