Bug 2082706 (CVE-2022-21681) - CVE-2022-21681 marked: regular expression inline.reflinkSearch may lead Denial of Service
Summary: CVE-2022-21681 marked: regular expression inline.reflinkSearch may lead Denia...
Keywords:
Status: NEW
Alias: CVE-2022-21681
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2083044 2083045 2083623 2090337 2090341 2090342 2091866 2091867 2092712 2092713 2092714 2092715 2092716 2092717 2092718 2092719 2092720 2092721 2092722 2092723 2092724 2092725
Blocks: 2082707
TreeView+ depends on / blocked
 
Reported: 2022-05-06 20:14 UTC by Patrick Del Bello
Modified: 2024-02-01 03:42 UTC (History)
82 users (show)

Fixed In Version: markedjs 4.0.10
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in the markedjs package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:3642 0 None None None 2023-06-15 15:59:59 UTC

Description Patrick Del Bello 2022-05-06 20:14:50 UTC 
Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression `inline.reflinkSearch` may cause catastrophic backtracking against some strings and lead to a denial of service (DoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

https://github.com/markedjs/marked/security/advisories/GHSA-5v2h-r2cx-5xgj
https://github.com/markedjs/marked/commit/8f806573a3f6c6b7a39b8cdb66ab5ebb8d55a5f5
Comment 4 Sandipan Roy 2022-05-25 14:32:10 UTC 
Created grafana tracking bugs for this issue:

Affects: fedora-all [bug 2090337]
Comment 7 TEJ RATHI 2022-06-02 06:28:49 UTC 
Created ceph tracking bugs for this issue:

Affects: fedora-all [bug 2092716]


Created gitqlient tracking bugs for this issue:

Affects: epel-all [bug 2092713]
Affects: fedora-all [bug 2092717]


Created golang-github-apache-beam-2 tracking bugs for this issue:

Affects: fedora-all [bug 2092718]


Created golang-github-apache-thrift tracking bugs for this issue:

Affects: fedora-all [bug 2092719]


Created golang-github-hashicorp-consul-api tracking bugs for this issue:

Affects: fedora-all [bug 2092720]


Created golang-github-hashicorp-consul-sdk tracking bugs for this issue:

Affects: fedora-all [bug 2092721]


Created marked tracking bugs for this issue:

Affects: fedora-all [bug 2092712]


Created python-drf-yasg tracking bugs for this issue:

Affects: epel-all [bug 2092714]
Affects: fedora-all [bug 2092722]


Created python-ipyparallel tracking bugs for this issue:

Affects: fedora-all [bug 2092723]


Created thrift tracking bugs for this issue:

Affects: epel-all [bug 2092715]
Affects: fedora-all [bug 2092724]


Created zuul tracking bugs for this issue:

Affects: fedora-all [bug 2092725]
Comment 9 Yi Cai 2022-06-03 19:47:22 UTC 
Minimum Marked version is being used since Argo CD v2.3.0 on March 06, 2022 release. Closing this as won't fix.

References:
https://github.com/argoproj/argo-cd/releases/tag/v2.3.0
https://github.com/argoproj/argo-cd/pull/8573/files#diff-3a968206d6de2fecfc5dacd7d94bab7744c9f5d5c999a816164d95cbc135c316R5918
Comment 26 errata-xmlrpc 2023-06-15 15:59:53 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 6.1

Via RHSA-2023:3642 https://access.redhat.com/errata/RHSA-2023:3642
Note You need to log in before you can comment on or make changes to this bug.