Vulnerability Details : CVE-2023-28631
comrak is a CommonMark + GFM compatible Markdown parser and renderer written in rust. A Comrak AST can be constructed manually by a program instead of parsing a Markdown document with `parse_document`. This AST can then be converted to HTML via `html::format_document_with_plugins`. However, the HTML formatting code assumes that the AST is well-formed. For example, many AST notes contain `[u8]` fields which the formatting code assumes is valid UTF-8 data. Several bugs can be triggered if this is not the case. Version 0.17.0 contains adjustments to the AST, storing strings instead of unvalidated byte arrays. Users are advised to upgrade. Users unable to upgrade may manually validate UTF-8 correctness of all data when assigning to `&[u8]` and `Vec<u8>` fields in the AST. This issue is also tracked as `GHSL-2023-049`.
Products affected by CVE-2023-28631
- cpe:2.3:a:comrak_project:comrak:*:*:*:*:*:rust:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-28631
0.33%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 71 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-28631
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST | |
5.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
3.9
|
1.4
|
GitHub, Inc. |
CWE ids for CVE-2023-28631
-
The product does not handle or incorrectly handles an exceptional condition.Assigned by:
- nvd@nist.gov (Secondary)
- security-advisories@github.com (Primary)
References for CVE-2023-28631
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VQ3UBC7LE4VPCMZBTADIBL353CH7CPVV/
[SECURITY] Fedora 36 Update: rust-askama_shared-0.12.2-4.fc36 - package-announce - Fedora Mailing-Lists
-
https://github.com/kivikakk/comrak/commit/9ff5f8df0ac951f5742d22a72c39b89a15f56639
Merge pull request from GHSA-5r3x-p7xx-x6q5 · kivikakk/comrak@9ff5f8d · GitHubPatch
-
https://github.com/kivikakk/comrak/security/advisories/GHSA-5r3x-p7xx-x6q5
Attacker controlled data in AST nodes is not validated (GHSL-2023-049) · Advisory · kivikakk/comrak · GitHubVendor Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OUYME2VA555X6567H7ORIJQFN4BVGT6N/
[SECURITY] Fedora 37 Update: rust-comrak-0.18.0-1.fc37 - package-announce - Fedora Mailing-Lists
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PTWZWCT7KCX2KTXTLPUYZ3EHOONG4X46/
[SECURITY] Fedora 38 Update: rust-comrak-0.18.0-1.fc38 - package-announce - Fedora Mailing-Lists
Jump to