Bug 493924 - CVE-2023-24824 in cmark-gfm
Summary: CVE-2023-24824 in cmark-gfm
Status: CONFIRMED
Alias: None
Product: ghostwriter
Classification: Applications
Component: general (other bugs)
Version First Reported In: unspecified
Platform: Other Linux
: NOR normal
Target Milestone: ---
Assignee: megan.conkle
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-10-01 14:46 UTC by khroyan.garnik
Modified: 2024-10-12 21:41 UTC (History)
0 users

See Also:
Latest Commit:
Version Fixed/Implemented In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description khroyan.garnik 2024-10-01 14:46:19 UTC 
Hi, I noticed that ghostwriter uses cmark-gfm, and recently, a vulnerability was reported in cmark-gfm under CVE-2023-24824. Upon reviewing the ghostwriter sources, it seems the patch for this vulnerability has not been applied. I'm not sure if this could pose a problem for the project, but I thought it would be important to inform you.

My report was primarily based on a static analysis tool developed at CAST, which flagged the potential vulnerability due to similarities in the codebase.

More information:
https://github.com/github/cmark-gfm/security/advisories/GHSA-66g8-4hjf-77xh
https://github.com/github/cmark-gfm/commit/2300c1bd2c8226108885bf019655c4159cf26b59
https://castech.am/