5.3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2023-28631

GHSA ID

GHSA-5r3x-p7xx-x6q5

EPSS Score

0.48036%

CWE

CWE-755

Published

3/28/2023

Updated

5/1/2023

KEV Status

Technology

Rust

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-28631

CVE-2023-28631: Comrak AST node data is not validated (GHSL-2023-049)

Impact

A Comrak AST can be constructed manually by a program instead of parsing a Markdown document with parse_document. This AST can then be converted to HTML via html::format_document_with_plugins. However, the HTML formatting code assumes that the AST is well-formed. For example, many AST notes contain [u8] fields which the formatting code assumes is valid UTF-8 data. Several bugs can be triggered if this is not the case.

Patches

0.17.0 contains adjustments to the AST, storing strings instead of unvalidated byte arrays.

Workarounds

Validate UTF-8 correctness of all data when assigning to &[u8] and Vec<u8> fields in the AST.

References

n/a

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2023-28631

CVE-2023-28631:

5.3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2023-28631

GHSA ID

GHSA-5r3x-p7xx-x6q5

EPSS Score

0.48036%

CWE

CWE-755

Published

3/28/2023

Updated

5/1/2023

KEV Status

Technology

Rust

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
comrak	rust	< 0.17.0	0.17.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from AST nodes storing unvalidated byte arrays (Vec<u8>) that were assumed to be valid UTF-8. The HTML formatter functions directly processed these raw bytes without validation. Key functions in html.rs (format_text, format_code, etc.) were modified in the patch to use String fields' .as_bytes() instead of raw Vec<u8>, indicating they previously handled unvalidated bytes. These functions would crash or misbehave when given non-UTF-8 data through manually constructed ASTs, which is exactly the attack vector described in GHSL-2023-049.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2023-28631: Comrak AST node data is not validated (GHSL-2023-049)

Impact

Patches

Workarounds

References

CVE-2023-28631:

5.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

5.3

5.3

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

CVE-2023-28631: Comrak AST node data is not validated (GHSL-2023-049)

Impact

Patches

Workarounds

References

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI