Bug 2082705 (CVE-2022-21680) - CVE-2022-21680 marked: regular expression block.def may lead Denial of Service
Summary: CVE-2022-21680 marked: regular expression block.def may lead Denial of Service
Keywords:
Status: NEW
Alias: CVE-2022-21680
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2083042 2083043 2083624 2090335 2090339 2090340 2090569 2090570 2090571 2090572 2090573 2090574 2090575 2090576 2090577 2090578 2090579 2090580 2090581 2090582 2090583 2090584 2090585 2090586 2090587 2090588
Blocks: 2082707
TreeView+ depends on / blocked
 
Reported: 2022-05-06 20:14 UTC by Patrick Del Bello
Modified: 2024-02-01 03:42 UTC (History)
82 users (show)

Fixed In Version: markedjs 4.0.10
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in the markedjs package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:3642 0 None None None 2023-06-15 15:59:50 UTC

Description Patrick Del Bello 2022-05-06 20:14:47 UTC 
Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression `block.def` may cause catastrophic backtracking against some strings and lead to a regular expression denial of service (ReDoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

https://github.com/markedjs/marked/security/advisories/GHSA-rrrm-qjm4-v8hf
https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0
https://github.com/markedjs/marked/releases/tag/v4.0.10
Comment 4 Sandipan Roy 2022-05-25 14:31:48 UTC 
Created grafana tracking bugs for this issue:

Affects: fedora-all [bug 2090335]
Comment 6 Sandipan Roy 2022-05-26 04:58:25 UTC 
Created ceph tracking bugs for this issue:

Affects: fedora-all [bug 2090573]


Created gitqlient tracking bugs for this issue:

Affects: epel-all [bug 2090570]
Affects: fedora-all [bug 2090574]


Created golang-github-apache-beam-2 tracking bugs for this issue:

Affects: fedora-all [bug 2090575]


Created golang-github-apache-thrift tracking bugs for this issue:

Affects: fedora-all [bug 2090576]


Created golang-github-hashicorp-consul-api tracking bugs for this issue:

Affects: fedora-all [bug 2090577]


Created golang-github-hashicorp-consul-sdk tracking bugs for this issue:

Affects: fedora-all [bug 2090578]


Created marked tracking bugs for this issue:

Affects: fedora-all [bug 2090569]


Created python-drf-yasg tracking bugs for this issue:

Affects: epel-all [bug 2090571]
Affects: fedora-all [bug 2090579]


Created python-ipyparallel tracking bugs for this issue:

Affects: fedora-all [bug 2090580]


Created thrift tracking bugs for this issue:

Affects: epel-all [bug 2090572]
Affects: fedora-all [bug 2090581]


Created zuul tracking bugs for this issue:

Affects: fedora-all [bug 2090582]
Comment 9 Yi Cai 2022-06-03 19:32:16 UTC 
Minimum Marked version is being used since Argo CD v2.3.0 on March 06, 2022 release. Closing this as won't fix.

References:
https://github.com/argoproj/argo-cd/releases/tag/v2.3.0
https://github.com/argoproj/argo-cd/pull/8573/files#diff-3a968206d6de2fecfc5dacd7d94bab7744c9f5d5c999a816164d95cbc135c316R5918
Comment 26 errata-xmlrpc 2023-06-15 15:59:45 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 6.1

Via RHSA-2023:3642 https://access.redhat.com/errata/RHSA-2023:3642
Note You need to log in before you can comment on or make changes to this bug.