GHSA-9849-p7jc-9rmv
Suggest an improvement- Source
- https://github.com/advisories/GHSA-9849-p7jc-9rmv
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-9849-p7jc-9rmv/GHSA-9849-p7jc-9rmv.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-9849-p7jc-9rmv
- Aliases
- Published
- 2023-06-22T19:58:54Z
- Modified
- 2023-11-08T04:08:38.309946Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- org.nokogiri:nekohtml vulnerable to Uncontrolled Resource Consumption
- Details
-
Summary
The fork of
org.cyberneko.htmlused by Nokogiri (Rubygem) raises ajava.lang.OutOfMemoryErrorexception when parsing ill-formed HTML markup.Severity
The maintainers have evaluated this as High Severity 7.5 (CVSS3.1).
Mitigation
Upgrade to
>= 1.9.22.noko2.Credit
This vulnerability was reported by 이형관 (windshock).
References
CWE-400 Uncontrolled Resource Consumption
Notes
The upstream library
org.cyberneko.htmlis no longer maintained. Nokogiri uses its own fork of this library located at https://github.com/sparklemotion/nekohtml and this CVE applies only to that fork. Other forks of nekohtml may have a similar vulnerability. - Database specific
{ "github_reviewed_at": "2023-06-22T19:58:54Z", "github_reviewed": true, "severity": "HIGH", "nvd_published_at": "2022-04-11T22:15:07Z", "cwe_ids": [ "CWE-400" ] }- References
-
- https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv
- https://nvd.nist.gov/vuln/detail/CVE-2022-24839
- https://github.com/sparklemotion/nekohtml/commit/a800fce3b079def130ed42a408ff1d09f89e773d
- https://github.com/sparklemotion/nekohtml
- https://www.oracle.com/security-alerts/cpujul2022.html
Affected packages
Maven / org.nokogiri:nekohtml
Package
- Name
- org.nokogiri:nekohtml
- View open source insights on deps.dev
- Purl
- pkg:maven/org.nokogiri/nekohtml