CIO Influence
CIO Influence News Security

Legit Security Discovers “MarkdownTime”, A Vulnerability in Markdown Services Affecting GitHub, GitLab and Countless Others

Legit Security Discovers “MarkdownTime”, A Vulnerability in Markdown Services Affecting GitHub, GitLab and Countless Others

Legit Security, a cyber security company with an enterprise platform that protects an organization’s software supply chain from attack and ensures secure application delivery, announced that it discovered an easy to exploit Denial-of-Service (DoS) vulnerability in Markdown libraries used by GitHub, GitLab and countless other applications using a popular markdown rendering service called commonmarker. Coined “MarkdownTime”, a vulnerable version of the commonmarker service allows an attacker to deploy a simple DoS attack that would shut down innumerable digital business services across the globe by disrupting their application development pipelines. More information on the vulnerability and how to mitigate the risks are found on a technical disclosure blog found here.

CIO INFLUENCE: Anglicare Leverages Ribbon and Switch Connect for Voice Consolidation and Path for Microsoft Teams Deployment

Markdown refers to creating formatted text using a plain text editor which is commonly found in software development tools and environments. A wide range of applications and projects implement these popular open source markdown libraries, such as the popular variant found in GitHub’s implementation – GFM (GitHub Flavored Markdown). In this case, Legit Security researchers found that it was simple to trigger unbounded resource exhaustion leading to a Denial-of-Service attack which could take down the service. After bringing this vulnerability to the attention of the GitHub security team, GitHub recognized the issue and posted a formal acknowledgement and fix which can be found here: CVE-2022-39209. It should be noted that many other tools and services may also be susceptible to the same vulnerability.

“Open-source libraries are ubiquitous in modern software development, but when vulnerabilities emerge, they can be very difficult to track due to uncontrolled copies of the original vulnerable code,” said Liav Caspi, CTO and co-founder of Legit Security. “When a library becomes popular and widespread, a vulnerability inside of it could potentially enable an attack on countless projects. Those attacks can include disruption of critical business services, such as crippling the software supply chain and the ability to release new business applications.”

CIO INFLUENCE: Datometry Releases Driver Integration for BigQuery, Further Future-Proofing Its Customers’ Investments

This is exactly what the Legit Security research team saw with MarkdownTime: a copy of the vulnerable GFM implementation was found in commonmarker, the popular Ruby package implementing Markdown support, which has more than 1 million dependent repositories. The Legit Security team found implementations across several business critical source code management services, among them GitHub and GitLab. Using this exploit, an unauthenticated attacker can bring down entire software production pipelines and causing significant damage to organization’s digital business initiatives. Many other services beyond just software development environments may also be vulnerable to costly business disruption.

The Legit Security research team has disclosed this security issue to the maintainer of commonmarker, as well as to both GitHub and GitLab. All of them have fixed the issues, but many more copies of this markdown implementation have been deployed and are in use.

CIO INFLUENCE: Ericsson presents a Green Financing Framework

[To share your insights with us, please write to sghosh@martechseries.com]

Related posts

ThoughtSpot Everywhere Launches as Low-Code Platform to Build Interactive Data Apps with Search & AI-driven Analytics

CIO Influence News Desk

Elastic Announces Optimized Data Architecture, Enhanced Web Crawler, and Autoscaling in Elastic Enterprise Search

CIO Influence News Desk

Contrast Security Joins Forces With Secure Code Warrior to Deliver Secure Development Training for Customers