CVE-2022-24839: Uncontrolled Resource Consumption in org.cyberneko.html (nokogiri fork)
First published: Mon Apr 11 2022(Updated: )
## Summary The fork of `org.cyberneko.html` used by Nokogiri (Rubygem) raises a `java.lang.OutOfMemoryError` exception when parsing ill-formed HTML markup. ## Severity The maintainers have evaluated this as [**High Severity** 7.5 (CVSS3.1)](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). ## Mitigation Upgrade to `>= 1.9.22.noko2`. ## Credit This vulnerability was reported by [이형관 (windshock)](https://www.linkedin.com/in/windshock/). ## References [CWE-400](https://cwe.mitre.org/data/definitions/400.html) Uncontrolled Resource Consumption ## Notes The upstream library `org.cyberneko.html` is no longer maintained. Nokogiri uses its own fork of this library located at https://github.com/sparklemotion/nekohtml and this CVE applies only to that fork. Other forks of nekohtml may have a similar vulnerability.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Nekohtml Project Nekohtml | <1.9.22.noko2 | |
| Oracle WebLogic Server | =12.2.1.3.0 | |
| Oracle WebLogic Server | =12.2.1.4.0 | |
| Oracle WebLogic Server | =14.1.1.0.0 | |
| maven/org.nokogiri:nekohtml | <1.9.22.noko2 | 1.9.22.noko2 |
| IBM Secure Proxy | <=6.0.3 | |
| IBM Secure Proxy | <=6.1.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/sparklemotion/nekohtml/commit/a800fce3b079def130ed42a408ff1d09f89e773d
- https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-24839
- https://github.com/advisories/GHSA-9849-p7jc-9rmv (Advisory)
- https://exchange.xforce.ibmcloud.com/vulnerabilities/224089
- https://www.ibm.com/support/pages/node/7142038 (Advisory)
Frequently Asked Questions
What is the vulnerability ID for this issue?
The vulnerability ID for this issue is CVE-2022-24839.
What is the severity of CVE-2022-24839?
The severity of CVE-2022-24839 is high with a score of 7.5.
Which software products are affected by CVE-2022-24839?
The affected software products include IBM Cloud Transformation Advisor, Nekohtml Project Nekohtml, Oracle WebLogic Server 12.2.1.3.0, Oracle WebLogic Server 12.2.1.4.0, and Oracle WebLogic Server 14.1.1.0.0.
How can I fix CVE-2022-24839?
To fix CVE-2022-24839, upgrade to Nokogiri version >= 1.9.22.noko2 for Nekohtml Project Nekohtml, or follow the patch remedy provided by your software vendor.
Where can I find more information about CVE-2022-24839?
More information about CVE-2022-24839 can be found in the references: [1](https://github.com/sparklemotion/nekohtml/commit/a800fce3b079def130ed42a408ff1d09f89e773d), [2](https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv), [3](https://www.oracle.com/security-alerts/cpujul2022.html).
- collector/nvd-index
- collector/github-advisory-latest
- alias/GHSA-9849-p7jc-9rmv
- alias/CVE-2022-24839
- collector/nvd-cve
- collector/github-advisory
- agent/author
- agent/remedy
- agent/type
- agent/severity
- agent/weakness
- agent/description
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup
- agent/references
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/tags
- vendor/nekohtml project
- canonical/nekohtml project nekohtml
- vendor/oracle
- canonical/oracle weblogic server
- version/oracle weblogic server/12.2.1.3.0
- version/oracle weblogic server/12.2.1.4.0
- version/oracle weblogic server/14.1.1.0.0
- package-manager/maven
- vendor/ibm
- canonical/ibm secure proxy
- version/ibm secure proxy/6.0.3
- version/ibm secure proxy/6.1.0