EIQ-2019-0038

ID	EIQ-2019-0038
CVE	-
Description	markdown-it is vulnerable to regular expression denial of service
Date	21 Oct 2019
Severity	2 - MEDIUM
CVSSv3 score	5.3
Status	2.6.0
Assessment	markdown-it versions 9.1.0 and earlier is vulnerable to regular expression denial of service (ReDoS). Affected versions of the Node.js module may take quadratic time to parse crafted regular expressions such as the one in the following example: `___` A signed-in user without admin access rights could enter an iterative sequence of `___` characters in one of the following entity input fields: Summary (report entity type only). Analysis (all supported entity types). The user would need at least this permission: modify blob-uploads To exploit the vulnerability, the user would need to manually upload to the platform an entity in .json format. The .json file would need to include the following custom JSON fields to enable markdown parsing in the Analysis (`data.description`) and Summary (`data.short_description`) fields, respectively: `data.description_structuring_format": "md"` `data.short_description_structuring_format": "md"` The `data.description` (Analysis) and/or the `data.short_description` (Summary) fields would need to hold an extremely long iterative sequence of `_` characters. The resulting .json file would be several MB in size. Upon opening such a crafted .json entity in the entity detail panel, parsing the markdown input would take quadratic time, which is computationally expensive. This may result in a denial of service (CPU consumption): the currently active entity detail pane may take some time to open, and it could freeze. To restore the view, the user would need to refresh the browser tab. The following example includes relevant fields from a report entity to show where in the entity JSON structure the `data.description` (Analysis) and/or the `data.short_description` (Summary) fields need to be included to exploit the vulnerability: `{` `"content-type":` `"urn:eclecticiq.com:json:1.0",` `"enrichments": [],` `"entities": [` `{` `"attachments": [],` `"data": {` `"description":` `"PSIRT test _this is markdown italics_ and this is more text in markdown bold",` `"description_structuring_format":` `"md", \\ value can be` `'md'` `or` `'markdown'` `...` `"short_description":` `"PSIRT test _this is markdown italics_ and this is more text in markdown bold*",` `"short_description_structuring_format":` `"md", \\ value can be` `'md'` `or` `'markdown'` `"timestamp":` `"2019-10-25T09:51:40.252821+00:00",` `"title":` `"PSIRT test",` `"type":` `"report"` `},` `...` `}` `],` `...` `}`
Mitigation	Upgrade to markdown-it version 10.0.0 or later. To freeze the detail pane, the uploaded .json files containing the crafted payload exceeds 10 MB in size. By default, it is not possible to manually upload to the platform files whose size exceeds 10 MB. We recommend keeping the default value.
Affected versions	2.5.0 and earlier.
Notes	For more information, see: Snyk report about the vulnerability GitHub issue about the vulnerability GitHub commit with the fix

< Back to all security issues and mitigation actions

In release notes 2.6.0