CVE-2023-28631 MEDIUM

CVE-2023-28631: Attacker controlled data in AST nodes is not validated in comrak

Vendor Kivikakk
Product comrak
Weakness CWE-755
Published March 28, 2023
Last update February 18, 2025
View on NVD All CVEs

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

What the vulnerability does

01Description

comrak is a CommonMark + GFM compatible Markdown parser and renderer written in rust. A Comrak AST can be constructed manually by a program instead of parsing a Markdown document with `parse_document`. This AST can then be converted to HTML via `html::format_document_with_plugins`. However, the HTML formatting code assumes that the AST is well-formed. For example, many AST notes contain `[u8]` fields which the formatting code assumes is valid UTF-8 data. Several bugs can be triggered if this is not the case. Version 0.17.0 contains adjustments to the AST, storing strings instead of unvalidated byte arrays. Users are advised to upgrade. Users unable to upgrade may manually validate UTF-8 correctness of all data when assigning to `&[u8]` and `Vec<u8>` fields in the AST. This issue is also tracked as `GHSL-2023-049`.

Key dates

02Disclosure timeline

March 28, 2023 CVE published
February 18, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2023-42509 JFrog Artifactory Sensitive Data Leakage in Repository configuration process CVE-2021-22285 SECURITY – Denial of Service Vulnerabilities in SPIET800 INFI-Net to Ethernet Transfer module and PNI800 S+ Ethernet communication interface module CVE-2023-25561 Login fail open on JAAS misconfiguration in DataHub CVE-2022-21667 Denial of Service in soketi CVE-2024-32001 SpiceDB: LookupSubjects may return partial results if a specific kind of relation is used