Workflow

PyPi: Md4c

CVE-2020-26148

Transitive

Safety vulnerability ID: 42027

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Sep 30, 2020 Updated at Mar 22, 2023
Scan your Python projects for vulnerabilities →

Advisory

Md4c (Python bindings) v1.0.0 includes a fix for 'ISANYOF' macro, which is vulnerable in md4c main package versions before 0.4.6: The mentioned macro could provide unexpected results when encountering zero byte in the input text; in some cases leading to broken internal state of the parser. The bug could result in a denial of service and possibly also in other security implications.
https://github.com/mity/md4c/issues/130

Affected package

md4c

Latest version: 1.0.0

Markdown parsing.

Affected versions

Fixed versions

Vulnerability changelog

Fixes:

* [130](https://github.com/mity/md4c/issues/130):
Fix `ISANYOF` macro, which could provide unexpected results when encountering
zero byte in the input text; in some cases leading to broken internal state
of the parser.

The bug could result in denial of service and possibly also to other security
implications. Applications are advised to update to 0.4.6.

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

HIGH 7.5

CVSS v3 Details

HIGH 7.5
Attack Vector (AV)
NETWORK
Attack Complexity (AC)
LOW
Privileges Required (PR)
NONE
User Interaction (UI)
NONE
Scope (S)
UNCHANGED
Confidentiality Impact (C)
NONE
Integrity Impact (I)
NONE
Availability Availability (A)
HIGH

CVSS v2 Details

MEDIUM 5.0
Access Vector (AV)
NETWORK
Access Complexity (AC)
LOW
Authentication (Au)
NONE
Confidentiality Impact (C)
NONE
Integrity Impact (I)
NONE
Availability Impact (A)
PARTIAL