markdown_it_py-2.1.0-py3-none-any.whl: 2 vulnerabilities (highest severity is: 5.5)
mend-for-github-com opened this issue · comments
Vulnerable Library - markdown_it_py-2.1.0-py3-none-any.whl
Python port of markdown-it. Markdown parsing, done right!
Library home page: https://files.pythonhosted.org/packages/f9/3f/ecd1b708973b9a3e4574b43cffc1ce8eb98696da34f1a1c44a68c3c0d737/markdown_it_py-2.1.0-py3-none-any.whl
Found in HEAD commit: 721c85d8c1c7916ebe7351559bf0e1dc82e35aea
Vulnerabilities
CVE | Severity | CVSS | Dependency | Type | Fixed in (markdown_it_py version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2023-26303 | Medium | 5.5 | markdown_it_py-2.1.0-py3-none-any.whl | Direct | 2.2.0 | ❌ |
CVE-2023-26302 | Medium | 5.5 | markdown_it_py-2.1.0-py3-none-any.whl | Direct | 2.2.0 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2023-26303
Vulnerable Library - markdown_it_py-2.1.0-py3-none-any.whl
Python port of markdown-it. Markdown parsing, done right!
Library home page: https://files.pythonhosted.org/packages/f9/3f/ecd1b708973b9a3e4574b43cffc1ce8eb98696da34f1a1c44a68c3c0d737/markdown_it_py-2.1.0-py3-none-any.whl
Dependency Hierarchy:
- ❌ markdown_it_py-2.1.0-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 721c85d8c1c7916ebe7351559bf0e1dc82e35aea
Found in base branch: master
Vulnerability Details
Denial of service could be caused to markdown-it-py, before v2.2.0, if an attacker was allowed to force null assertions with specially crafted input.
Publish Date: 2023-02-23
URL: CVE-2023-26303
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-26303
Release Date: 2023-02-23
Fix Resolution: 2.2.0
CVE-2023-26302
Vulnerable Library - markdown_it_py-2.1.0-py3-none-any.whl
Python port of markdown-it. Markdown parsing, done right!
Library home page: https://files.pythonhosted.org/packages/f9/3f/ecd1b708973b9a3e4574b43cffc1ce8eb98696da34f1a1c44a68c3c0d737/markdown_it_py-2.1.0-py3-none-any.whl
Dependency Hierarchy:
- ❌ markdown_it_py-2.1.0-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 721c85d8c1c7916ebe7351559bf0e1dc82e35aea
Found in base branch: master
Vulnerability Details
Denial of service could be caused to the command line interface of markdown-it-py, before v2.2.0, if an attacker was allowed to use invalid UTF-8 characters as input.
Publish Date: 2023-02-22
URL: CVE-2023-26302
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-26302
Release Date: 2023-02-22
Fix Resolution: 2.2.0