CVE-2023-37463: 
Ruby vulnerability analysis and mitigation

cmark-gfm, an extended version of the C reference implementation of CommonMark (a rationalized version of Markdown syntax), was found to contain three polynomial time complexity issues that could lead to unbounded resource exhaustion and subsequent denial of service. The vulnerability was discovered in version 0.29.0.gfm.11 and earlier versions, and was patched in version 0.29.0.gfm.12. The issue was assigned CVE-2023-37463 and was disclosed on July 13, 2023 (GitHub Advisory).

The vulnerability consists of three distinct quadratic complexity issues: 1) A quadratic loop in table alignment logic where searching a linked list to calculate column numbers becomes inefficient with large tables, 2) A linear-sized input creating quadratic-size tables through column extension behavior, and 3) Nested footnotes causing quadratic behavior through deeply-nested lists of blocks. The vulnerability received a CVSS v3.1 base score of 7.5 (HIGH) from NIST with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

These vulnerabilities could be exploited in denial-of-service attacks on websites that use cmark-gfm to render markdown documents. The issues allow attackers to craft specific markdown inputs that trigger quadratic time complexity, leading to resource exhaustion (GitHub Security Lab).

The vulnerabilities have been patched in version 0.29.0.gfm.12. Users are advised to upgrade to this version or later to address these security issues (GitHub Release).