![]() There are no known workarounds for this vulnerability. The issue has been patched in matrix-js-sdk 24.0.0 and users are advised to upgrade. This vulnerability is distinct from GHSA-rfv9-x7hh-xc32 which covers a similar issue. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. In versions prior to 24.0.0 events sent with special strings in key places can temporarily disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. Matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. This issue is also tracked as `GHSL-2023-049`. Users unable to upgrade may manually validate UTF-8 correctness of all data when assigning to `&` and `Vec` fields in the AST. Version 0.17.0 contains adjustments to the AST, storing strings instead of unvalidated byte arrays. Several bugs can be triggered if this is not the case. For example, many AST notes contain `` fields which the formatting code assumes is valid UTF-8 data. However, the HTML formatting code assumes that the AST is well-formed. This AST can then be converted to HTML via `html::format_document_with_plugins`. A Comrak AST can be constructed manually by a program instead of parsing a Markdown document with `parse_document`. Jenkins Convert To Pipeline Plugin 1.0 and earlier uses basic string concatenation to convert Freestyle projects' Build Environment, Build Steps, and Post-build Actions to the equivalent Pipeline step invocations, allowing attackers able to configure Freestyle projects to prepare a crafted configuration that injects Pipeline script code into the (unsandboxed) Pipeline resulting from a convertion by Jenkins Convert To Pipeline Plugin.Ĭomrak is a CommonMark + GFM compatible Markdown parser and renderer written in rust.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |