GHSA-g9hh-vvx3-v37v

Suggest an improvement
Source
https://github.com/advisories/GHSA-g9hh-vvx3-v37v
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-g9hh-vvx3-v37v/GHSA-g9hh-vvx3-v37v.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-g9hh-vvx3-v37v
Aliases
Published
2022-04-23T00:03:04Z
Modified
2024-02-20T05:33:28.550353Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Denial of service in HtmlUnit-Neko
Details

Certain Neko-related HTML parsers allow a denial of service via crafted Processing Instruction (PI) input that causes excessive heap memory consumption. In particular, this issue exists in HtmlUnit-Neko through 2.26, and is fixed in 2.27. This issue also exists in CyberNeko HTML through 1.9.22 (also affecting OWASP AntiSamy before 1.6.6), but 1.9.22 is the last version of CyberNeko HTML. NOTE: this may be related to CVE-2022-24939.

References

Affected packages

Maven / net.sourceforge.htmlunit:neko-htmlunit

Package

Name
net.sourceforge.htmlunit:neko-htmlunit
View open source insights on deps.dev
Purl
pkg:maven/net.sourceforge.htmlunit/neko-htmlunit

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.27

Affected versions

2.*

2.21
2.23
2.24
2.25