关联漏洞
标题:
Markdown 安全漏洞
(CVE-2024-44337)
描述:Markdown是gomarkdown开源的一个用于解析 Markdown 文本并渲染为 HTML 的 Go 库。 Markdown存在安全漏洞,该漏洞源于parser/block.go文件的paragraph函数中存在逻辑问题。
描述
CVE-2024-44337 POC The package `github.com/gomarkdown/markdown` is a Go library for parsing Markdown text and rendering as HTML. which allowed a remote attacker to cause a denial of service (DoS) condition by providing a tailor-made input that caused an infinite loop, causing the program to hang and consume resources indefinitely.
介绍
# CVE-2024-44337
CVE-2024-44337 POC The package `github.com/gomarkdown/markdown` is a Go library for parsing Markdown text and rendering as HTML. which allowed a remote attacker to cause a denial of service (DoS) condition by providing a tailor-made input that caused an infinite loop, causing the program to hang and consume resources indefinitely.
The package `github.com/gomarkdown/markdown` is a Go library for parsing Markdown text and rendering as HTML. Prior to pseudoversion `v0.0.0-20240729232818-a2a9c4f`, which corresponds with commit `a2a9c4f76ef5a5c32108e36f7c47f8d310322252`, there was a logical problem in the paragraph function of the parser/block.go file, which allowed a remote attacker to cause a denial of service (DoS) condition by providing a tailor-made input that caused an infinite loop, causing the program to hang and consume resources indefinitely. Submit `a2a9c4f76ef5a5c32108e36f7c47f8d310322252` contains fixes to this problem.
# About
Link:
- ["Program Hanged (Timeout 10 Seconds)" Found Using go-fuzz in gomarkdown/markdown · Issue #311 · gomarkdown/markdown (github.com)](https://github.com/gomarkdown/markdown/issues/311)
- [fix infinite loop with empty list definition (fixes #311) · gomarkdown/markdown@a2a9c4f (github.com)](https://github.com/gomarkdown/markdown/commit/a2a9c4f76ef5a5c32108e36f7c47f8d310322252)
# README.
- zh_CN [简体中文](readme/README.zh_CN.md)
文件快照
[4.0K] /data/pocs/48be3d731b39fd2a96f27950f3f0bd8547167fb8
├── [4.0K] crashers
│ ├── [ 26] 6352b36848220fd923515ee94b6a90237024e28b
│ ├── [4.8K] 6352b36848220fd923515ee94b6a90237024e28b.output
│ └── [ 48] 6352b36848220fd923515ee94b6a90237024e28b.quoted
├── [4.0K] exp
│ └── [ 381] fuzz.go
├── [4.0K] readme
│ └── [ 634] README.zh_CN.md
└── [1.4K] README.md
3 directories, 6 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。