CVE-2022-24724

Integer overflow in table parsing extension leads to heap memory corruption

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

cmark-gfm is GitHub's extended version of the C reference implementation of CommonMark. Prior to versions 0.29.0.gfm.3 and 0.28.3.gfm.21, an integer overflow in cmark-gfm's table row parsing `table.c:row_from_string` may lead to heap memory corruption when parsing tables who's marker rows contain more than UINT16_MAX columns. The impact of this heap corruption ranges from Information Leak to Arbitrary Code Execution depending on how and where `cmark-gfm` is used. If `cmark-gfm` is used for rendering remote user controlled markdown, this vulnerability may lead to Remote Code Execution (RCE) in applications employing affected versions of the `cmark-gfm` library. This vulnerability has been patched in the following cmark-gfm versions 0.29.0.gfm.3 and 0.28.3.gfm.21. A workaround is available. The vulnerability exists in the table markdown extensions of cmark-gfm. Disabling the table extension will prevent this vulnerability from being triggered.

cmark-gfm es la versión extendida de GitHub de la implementación de referencia en C de CommonMark. En versiones anteriores a 0.29.0.gfm.3 y 0.28.3.gfm.21, un desbordamiento de enteros en el análisis de filas de tablas de cmark-gfm, "table.c:row_from_string", podía conllevar a una corrupción de la memoria de la pila cuando eran analizadas tablas cuyas filas de marcadores contenían más de UINT16_MAX columnas. El impacto de esta corrupción de memoria va desde un filtrado de información hasta una ejecución de código arbitrario, dependiendo de cómo y dónde es usado "cmark-gfm". Si "cmark-gfm" es usado para renderizar markdown controlado por usuarios remotos, esta vulnerabilidad puede conllevar a una Ejecución de Código Remota (RCE) en aplicaciones que empleen versiones afectadas de la biblioteca "cmark-gfm". Esta vulnerabilidad ha sido parcheada en las siguientes versiones de cmark-gfm: 0.29.0.gfm.3 y 0.28.3.gfm.21. Se presenta una medida de mitigación disponible. La vulnerabilidad se presenta en las extensiones de tablas markdown de cmark-gfm. Si es deshabilitada la extensión de la tabla, podrá evitarse que sea producida esta vulnerabilidad

cmark-gfm, Github's markdown parsing library, is vulnerable to an out-of-bounds write when parsing markdown tables with a high number of columns due to an overflow of the 16bit columns count.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-02-10 CVE Reserved
2022-03-03 CVE Published
2024-08-03 CVE Updated
2024-08-03 First Exploit
2024-11-16 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-190: Integer Overflow or Wraparound

CAPEC

References (10)

URL	Tag	Source
https://github.com/github/cmark-gfm/security/advisories/GHSA-mc3g-88wq-6f4x	Third Party Advisory

URL	Date	SRC
http://packetstormsecurity.com/files/166599/cmark-gfm-Integer-overflow.html	2024-08-03

URL	Date	SRC

URL	Date	SRC
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5CYUU662VO6CCXQKVZVOHXX3RGIF2DLQ	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F7V3HAM5H6YFJG2QFEXACZR3XVWFTXTC	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KH4UQA6VWVZU5EW3HNEAB7D7BTCNJSJ2	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RSKUOJ2VAYGTJXPDE2RRPMNLVVMKCI77	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TJBFIJEHJZEEDG6MO4MQHZYKUXELH77O	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z55K6VNVKO2G5SNKRCQ2KDG5SKTX5PVV	2023-11-07
https://access.redhat.com/security/cve/CVE-2022-24724	2022-07-18
https://bugzilla.redhat.com/show_bug.cgi?id=2060662	2022-07-18

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Github Search vendor "Github"		Cmark-gfm Search vendor "Github" for product "Cmark-gfm"				< 0.28.3.gfm.21 Search vendor "Github" for product "Cmark-gfm" and version " < 0.28.3.gfm.21"		-		Affected
Github Search vendor "Github"		Cmark-gfm Search vendor "Github" for product "Cmark-gfm"				> 0.28.3.gfm.21 < 0.29.0.gfm.3 Search vendor "Github" for product "Cmark-gfm" and version " > 0.28.3.gfm.21 < 0.29.0.gfm.3"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				34 Search vendor "Fedoraproject" for product "Fedora" and version "34"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				35 Search vendor "Fedoraproject" for product "Fedora" and version "35"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				36 Search vendor "Fedoraproject" for product "Fedora" and version "36"		-		Affected