Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 2082706 (CVE-2022-21681) - CVE-2022-21681 marked: regular expression inline.reflinkSearch may lead Denial of Service
Summary: CVE-2022-21681 marked: regular expression inline.reflinkSearch may lead Denia...
Keywords:
Status: NEW
Alias: CVE-2022-21681
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2083044 2083045 2083623 2090337 2090341 2090342 2091866 2091867 2092712 2092713 2092714 2092715 2092716 2092717 2092718 2092719 2092720 2092721 2092722 2092723 2092724 2092725
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-05-06 20:14 UTC by Patrick Del Bello
Modified: 2024-02-01 03:42 UTC (History)
82 users (show)

Fixed In Version: markedjs 4.0.10
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:3642 0 None None None 2023-06-15 15:59:59 UTC

Description Patrick Del Bello 2022-05-06 20:14:50 UTC
Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression `inline.reflinkSearch` may cause catastrophic backtracking against some strings and lead to a denial of service (DoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

https://github.com/markedjs/marked/security/advisories/GHSA-5v2h-r2cx-5xgj
https://github.com/markedjs/marked/commit/8f806573a3f6c6b7a39b8cdb66ab5ebb8d55a5f5

Comment 4 Sandipan Roy 2022-05-25 14:32:10 UTC
Created grafana tracking bugs for this issue:

Affects: fedora-all [bug 2090337]

Comment 7 TEJ RATHI 2022-06-02 06:28:49 UTC
Created ceph tracking bugs for this issue:

Affects: fedora-all [bug 2092716]


Created gitqlient tracking bugs for this issue:

Affects: epel-all [bug 2092713]
Affects: fedora-all [bug 2092717]


Created golang-github-apache-beam-2 tracking bugs for this issue:

Affects: fedora-all [bug 2092718]


Created golang-github-apache-thrift tracking bugs for this issue:

Affects: fedora-all [bug 2092719]


Created golang-github-hashicorp-consul-api tracking bugs for this issue:

Affects: fedora-all [bug 2092720]


Created golang-github-hashicorp-consul-sdk tracking bugs for this issue:

Affects: fedora-all [bug 2092721]


Created marked tracking bugs for this issue:

Affects: fedora-all [bug 2092712]


Created python-drf-yasg tracking bugs for this issue:

Affects: epel-all [bug 2092714]
Affects: fedora-all [bug 2092722]


Created python-ipyparallel tracking bugs for this issue:

Affects: fedora-all [bug 2092723]


Created thrift tracking bugs for this issue:

Affects: epel-all [bug 2092715]
Affects: fedora-all [bug 2092724]


Created zuul tracking bugs for this issue:

Affects: fedora-all [bug 2092725]

Comment 9 Yi Cai 2022-06-03 19:47:22 UTC
Minimum Marked version is being used since Argo CD v2.3.0 on March 06, 2022 release. Closing this as won't fix.

References:
https://github.com/argoproj/argo-cd/releases/tag/v2.3.0
https://github.com/argoproj/argo-cd/pull/8573/files#diff-3a968206d6de2fecfc5dacd7d94bab7744c9f5d5c999a816164d95cbc135c316R5918

Comment 26 errata-xmlrpc 2023-06-15 15:59:53 UTC
This issue has been addressed in the following products:

  Red Hat Ceph Storage 6.1

Via RHSA-2023:3642 https://access.redhat.com/errata/RHSA-2023:3642


Note You need to log in before you can comment on or make changes to this bug.