Bugzilla – Bug 1198404
VUL-0: CVE-2022-24839: rubygem-nokogiri,nekohtml: Uncontrolled Resource Consumption in nekohtml
Last modified: 2022-06-28 11:05:04 UTC
rh#2074340 org.cyberneko.html is an html parser written in Java. The fork of `org.cyberneko.html` used by Nokogiri (Rubygem) raises a `java.lang.OutOfMemoryError` exception when parsing ill-formed HTML markup. Users are advised to upgrade to `>= 1.9.22.noko2`. Note: The upstream library `org.cyberneko.html` is no longer maintained. Nokogiri uses its own fork of this library located at https://github.com/sparklemotion/nekohtml and this CVE applies only to that fork. Other forks of nekohtml may have a similar vulnerability. https://github.com/sparklemotion/nekohtml/commit/a800fce3b079def130ed42a408ff1d09f89e773d https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv References: https://bugzilla.redhat.com/show_bug.cgi?id=2074340 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-24839 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24839 https://github.com/sparklemotion/nekohtml/commit/a800fce3b079def130ed42a408ff1d09f89e773d https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv
Affected: - SUSE:SLE-15-SP2:Update:Products:Manager41:Update/nekohtml 1.9.21 - SUSE:SLE-15-SP2:Update/nekohtml 1.9.22 - openSUSE:Factory/nekohtml 1.9.22 I think rubygem-nokogiri is not affected, as it does not bundle nekohtml.jar, but please let me know if I overlooked something @Marcus Rueckert. - SUSE:SLE-12:Update/rubygem-nokogiri 1.6.1 - SUSE:SLE-15:Update/rubygem-nokogiri 1.8.5 - SUSE:SLE-15-SP4:Update/rubygem-nokogiri 1.8.5 - openSUSE:Factory/rubygem-nokogiri 1.13.3
This is an autogenerated message for OBS integration: This bug (1198404) was mentioned in https://build.opensuse.org/request/show/972549 Factory / nekohtml
Duplicate *** This bug has been marked as a duplicate of bug 1198739 ***