The Markdown parser in Zulip server before 2.0.5 used a... · CVE-2019-16215 · GitHub Advisory Database · GitHub

The Markdown parser in Zulip server before 2.0.5 used a...

Moderate severity Unreviewed Published May 24, 2022 to the GitHub Advisory Database • Updated Feb 18, 2024

Package

No package listed— Suggest a package

Affected versions

Unknown

Patched versions

Unknown

Description

The Markdown parser in Zulip server before 2.0.5 used a regular expression vulnerable to exponential backtracking. A user who is logged into the server could send a crafted message causing the server to spend an effectively arbitrary amount of CPU time and stall the processing of future messages.

References

Published by the National Vulnerability Database

Sep 18, 2019

Published to the GitHub Advisory Database May 24, 2022

Last updated Feb 18, 2024

Severity

Moderate

/ 10

CVSS v3 base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

Low

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H