CVE-2021-38186
MEDIUM6.1EPSS 0.20%XSS in `comrak`
Published: 8/25/2021Modified: 11/8/2023
Description
[comrak](https://github.com/kivikakk/comrak) operates by default in a "safe" mode of operation where unsafe content, such as arbitrary raw HTML or URLs with non-standard schemes, are not permitted in the output. This is per the reference GFM implementation, [cmark-gfm](https://github.com/github/cmark). Ampersands were not being correctly escaped in link targets, making it possible to fashion unsafe URLs using schemes like `data:` or `javascript:` by entering them as HTML entities, e.g. `data:`. The intended behaviour, demonstrated upstream, is that these should be escaped and therefore harmless, but this behaviour was broken in comrak.
Affected packages (2)
- crates.io/comrakfrom 0, < 0.10.1
- crates.io/comrak>= 0.0.0-0, < 0.10.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
References (7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-38186
- PATCHhttps://crates.io/crates/comrak
- PATCHhttps://github.com/kivikakk/comrak
- WEBhttps://github.com/kivikakk/comrak/commit/b72340cabe4749952530b4fb6b4fcc706bc973e5
- WEBhttps://github.com/kivikakk/comrak/compare/0.10.0...0.10.1
- WEBhttps://github.com/kivikakk/comrak/releases/tag/0.10.1
- WEBhttps://rustsec.org/advisories/RUSTSEC-2021-0063.html