Bug 493924

Summary: CVE-2023-24824 in cmark-gfm
Product: [Applications] ghostwriter Reporter: khroyan.garnik
Component: generalAssignee: megan.conkle
Status: CONFIRMED ---    
Severity: normal    
Priority: NOR    
Version First Reported In: unspecified   
Target Milestone: ---   
Platform: Other   
OS: Linux   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:

Description khroyan.garnik 2024-10-01 14:46:19 UTC 
Hi, I noticed that ghostwriter uses cmark-gfm, and recently, a vulnerability was reported in cmark-gfm under CVE-2023-24824. Upon reviewing the ghostwriter sources, it seems the patch for this vulnerability has not been applied. I'm not sure if this could pose a problem for the project, but I thought it would be important to inform you.

My report was primarily based on a static analysis tool developed at CAST, which flagged the potential vulnerability due to similarities in the codebase.

More information:
https://github.com/github/cmark-gfm/security/advisories/GHSA-66g8-4hjf-77xh
https://github.com/github/cmark-gfm/commit/2300c1bd2c8226108885bf019655c4159cf26b59
https://castech.am/