First published: Wed Mar 16 2022(Updated: )
CKEditor is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the dialog plugin. By sending a specially-crafted regex input, a remote attacker could exploit this vulnerability to cause a significant performance drop and results in a browser tab freeze.
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Ckeditor Ckeditor | >=4.0<4.18.0 | |
Drupal Drupal | >=8.0.0<9.2.15 | |
Drupal Drupal | >=9.3.0<9.3.8 | |
Oracle Application Express | <22.1.1 | |
Oracle Commerce Merchandising | =11.3.2 | |
Oracle Financial Services Analytical Applications Infrastructure | >=8.0.7.0.0<=8.1.0.0.0 | |
Oracle Financial Services Analytical Applications Infrastructure | =8.1.1.0 | |
Oracle Financial Services Analytical Applications Infrastructure | =8.1.2.0 | |
Oracle Financial Services Analytical Applications Infrastructure | =8.1.2.1 | |
Oracle Financial Services Behavior Detection Platform | >=8.1.1.0<=8.1.2.1 | |
Oracle Financial Services Behavior Detection Platform | =8.0.7.0 | |
Oracle Financial Services Behavior Detection Platform | =8.0.8.0 | |
Oracle Financial Services Trade-based Anti Money Laundering | =8.0.7 | |
Oracle Financial Services Trade-based Anti Money Laundering | =8.0.8 | |
Oracle PeopleSoft Enterprise PeopleTools | =8.58 | |
Oracle PeopleSoft Enterprise PeopleTools | =8.59 | |
Fedoraproject Fedora | =36 | |
Fedoraproject Fedora | =37 | |
IBM IBM® Engineering Requirements Management DOORS | <=9.7.2.7 | |
IBM IBM® Engineering Requirements Management DOORS Web Access | <=9.7.2.7 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-24729 is a vulnerability in CKEditor4, a popular open source HTML editor, which allows abuse of a dialog input validator regular expression, leading to a significant performance drop.
The severity level of CVE-2022-24729 is high, with a CVSS score of 7.5.
CKEditor4 versions prior to 4.18.0, Drupal versions 8.0.0 to 9.2.15, Drupal versions 9.3.0 to 9.3.8, Oracle Application Express up to version 22.1.1, Oracle Commerce Merchandising version 11.3.2, and various versions of Oracle Financial Services Analytical Applications Infrastructure, Oracle Financial Services Behavior Detection Platform, Oracle Financial Services Trade-based Anti Money Laundering, Oracle PeopleSoft Enterprise PeopleTools, and Fedora are affected by CVE-2022-24729.
The CVE-2022-24729 vulnerability in CKEditor4 can cause a significant performance drop due to the abuse of a dialog input validator regular expression in the `dialog` plugin.
You can find more information about CVE-2022-24729 on the CKEditor4 website, the GitHub security advisory, and the Fedora project's mailing list.