Vulnerability CVE-2024-44337 is detected one of the dependency github.com/gomarkdown/markdown #64
Comments
|
Hi, have you checked if this dependency is actually used? Via oapi-codegen/oapi-codegen#1304 it's unlikely to directly affect our usage, and although I appreciate that it may flag on CVE scanners, it's low priority for us to fix unless it directly affects our usage |
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Vulnerability [CVE-2024-44337] is detected one of the dependency github.com/gomarkdown/markdown. Inorder to fix this vulnerability, github.com/gomarkdown/markdown must be upgraded to version 0.0.0-20240729212818-a2a9c4f76ef5
CVSS Score : 5.1 (Medium)
Severity: Medium
Category "CWE-835 | Loop with Unreachable Exit Condition ('Infinite Loop')
Exploitability: EPSS 3.1% (86th percentile)
Vulnerability score: CVSS: 3
Advisory: GHSA-xhr3-wf7j-h255
Package: github.com/golang-jwt/jwt/v4
Affected versions< 0.0.0-20240729212818-a2a9c4f76ef5
Patched versions = 0.0.0-20240729212818-a2a9c4f76ef5
CVE Details:
The package github.com/gomarkdown/markdown is a Go library for parsing Markdown text and rendering as HTML. Prior to pseudoversion v0.0.0-20240729232818-a2a9c4f, which corresponds with commit a2a9c4f76ef5a5c32108e36f7c47f8d310322252, there was a logical problem in the paragraph function of the parser/block.go file, which allowed a remote attacker to cause a denial of service (DoS) condition by providing a tailor-made input that caused an infinite loop, causing the program to hang and consume resources indefinitely. Submit a2a9c4f76ef5a5c32108e36f7c47f8d310322252 contains fixes to this problem.
References
https://nvd.nist.gov/vuln/detail/CVE-2024-44337
gomarkdown/markdown@a2a9c4f
https://github.com/Brinmon/CVE-2024-44337
https://pkg.go.dev/vuln/GO-2024-3205
The text was updated successfully, but these errors were encountered: