Improper Handling of Exceptional Conditions Affecting comrak package, versions <0.17.0
Snyk CVSS
Attack Complexity
Low
Threat Intelligence
EPSS
0.41% (74th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-RUST-COMRAK-5291799
- published 29 Mar 2023
- disclosed 28 Mar 2023
- credit Unknown
Introduced: 28 Mar 2023
CVE-2023-28631 Open this link in a new tabHow to fix?
Upgrade comrak
to version 0.17.0 or higher.
Overview
Affected versions of this package are vulnerable to Improper Handling of Exceptional Conditions when AST can be constructed manually by a program instead of parsing a Markdown document with parse_document
. This AST can then be converted to HTML via html::format_document_with_plugins
. However, the HTML formatting code assumes that the AST is well-formed. For example, many AST notes contain [u8]
fields which the formatting code assumes is valid UTF-8 data.
Workaround
- Validate UTF-8 correctness of all data when assigning to
&[u8]
andVec<u8>
fields in the AST.