5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-28631

GHSA ID

GHSA-5r3x-p7xx-x6q5

EPSS Score

0.48036%

CWE

CWE-755

Published

3/28/2023

Updated

5/1/2023

KEV Status

Technology

Rust

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-28631

CVE-2023-28631: Comrak AST node data is not validated (GHSL-2023-049)

Impact

A Comrak AST can be constructed manually by a program instead of parsing a Markdown document with parse_document. This AST can then be converted to HTML via html::format_document_with_plugins. However, the HTML formatting code assumes that the AST is well-formed. For example, many AST notes contain [u8] fields which the formatting code assumes is valid UTF-8 data. Several bugs can be triggered if this is not the case.

Patches

0.17.0 contains adjustments to the AST, storing strings instead of unvalidated byte arrays.

Workarounds

Validate UTF-8 correctness of all data when assigning to &[u8] and Vec<u8> fields in the AST.

References

n/a

(GitHub Advisory)

5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-28631

GHSA ID

GHSA-5r3x-p7xx-x6q5

EPSS Score

0.48036%

CWE

CWE-755

Published

3/28/2023

Updated

5/1/2023

KEV Status

Technology

Rust

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
comrak	rust	< 0.17.0	0.17.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from AST nodes storing unvalidated byte arrays (Vec<u8>) that were assumed to be valid UTF-8. The HTML formatter functions directly processed these raw bytes without validation. Key functions in html.rs (format_text, format_code, etc.) were modified in the patch to use String fields' .as_bytes() instead of raw Vec<u8>, indicating they previously handled unvalidated bytes. These functions would crash or misbehave when given non-UTF-8 data through manually constructed ASTs, which is exactly the attack vector described in GHSL-2023-049.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t * *omr*k *ST **n ** *onstru*t** m*nu*lly *y * pro*r*m inst*** o* p*rsin* * M*rk*own *o*um*nt wit* `p*rs*_*o*um*nt`. T*is *ST **n t**n ** *onv*rt** to *TML vi* `*tml::*orm*t_*o*um*nt_wit*_plu*ins`. *ow*v*r, t** *TML *orm*ttin* *o** *ssum*s

Reasoning

T** vuln*r**ility st*mm** *rom *ST no**s storin* unv*li**t** *yt* *rr*ys (V**<u*>) t**t w*r* *ssum** to ** v*li* UT*-*. T** *TML *orm*tt*r *un*tions *ir**tly pro**ss** t**s* r*w *yt*s wit*out v*li**tion. K*y *un*tions in *tml.rs (*orm*t_t*xt, *orm*t_

5.3

Basic Information

Concerned about an active attack path?

CVE-2023-28631: Comrak AST node data is not validated (GHSL-2023-049)

Impact

Patches

Workarounds

References

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI