EIQ-2019-0038#

ID

EIQ-2019-0038

CVE

-

Description

markdown-it is vulnerable to regular expression denial of service

Date

21 Oct 2019

Severity

2 - MEDIUM

CVSSv3 score

5.3

Status

✅ 2.6.0

Assessment

markdown-it versions 9.1.0 and earlier is vulnerable to regular expression denial of service (ReDoS).

Affected versions of the Node.js module may take quadratic time to parse crafted regular expressions such as the one in the following example:

*_*_*_

A signed-in user without admin access rights could enter an iterative sequence of *_*_*_ characters in one of the following entity input fields:

  • Summary (report entity type only).

  • Analysis (all supported entity types).

The user would need at least this permission:

  • modify blob-uploads

To exploit the vulnerability, the user would need to manually upload to the platform an entity in .json format.

The .json file would need to include the following custom JSON fields to enable markdown parsing in the Analysis (data.description) and Summary (data.short_description) fields, respectively:

  • data.description_structuring_format": "md"

  • data.short_description_structuring_format": "md"

The data.description (Analysis) and/or the data.short_description (Summary) fields would need to hold an extremely long iterative sequence of *_ characters.

The resulting .json file would be several MB in size.

Upon opening such a crafted .json entity in the entity detail panel, parsing the markdown input would take quadratic time, which is computationally expensive.

This may result in a denial of service (CPU consumption): the currently active entity detail pane may take some time to open, and it could freeze.

To restore the view, the user would need to refresh the browser tab.

The following example includes relevant fields from a report entity to show where in the entity JSON structure the data.description (Analysis) and/or the data.short_description (Summary) fields need to be included to exploit the vulnerability:

{
  "content-type": "urn:eclecticiq.com:json:1.0",
  "enrichments": [],
  "entities": [
    {
      "attachments": [],
      "data": {
        "description": "PSIRT test _this is markdown italics_ and this is more text in **markdown bold**",
        "description_structuring_format": "md", \\ value can be 'md' or 'markdown'
        ...
        "short_description": "PSIRT test _this is markdown italics_ and this is more text in **markdown bold**",
        "short_description_structuring_format": "md", \\ value can be 'md' or 'markdown'
        "timestamp": "2019-10-25T09:51:40.252821+00:00",
        "title": "PSIRT test",
        "type": "report"
      },
      ...
    }
  ],
  ...
}

Mitigation

Upgrade to markdown-it version 10.0.0 or later.

To freeze the detail pane, the uploaded .json files containing the crafted payload exceeds 10 MB in size.

By default, it is not possible to manually upload to the platform files whose size exceeds 10 MB.

We recommend keeping the default value.

Affected versions

2.5.0 and earlier.

Notes

For more information, see: