GHSA-3x8r-x6xp-q4vm
Suggest an improvement- Source
- https://github.com/advisories/GHSA-3x8r-x6xp-q4vm
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-3x8r-x6xp-q4vm/GHSA-3x8r-x6xp-q4vm.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-3x8r-x6xp-q4vm
- Aliases
- Published
- 2022-12-13T17:40:50Z
- Modified
- 2023-11-01T04:57:53.426188Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- Uncontrolled Recursion in Loofah
- Details
-
Summary
Loofah
>= 2.2.0, < 2.19.1uses recursion for sanitizingCDATAsections, making it susceptible to stack exhaustion and raising aSystemStackErrorexception. This may lead to a denial of service through CPU resource consumption.Mitigation
Upgrade to Loofah
>= 2.19.1.Users who are unable to upgrade may be able to mitigate this vulnerability by limiting the length of the strings that are sanitized.
Severity
The Loofah maintainers have evaluated this as High Severity 7.5 (CVSS3.1).
References
- References
-
- https://github.com/flavorjones/loofah/security/advisories/GHSA-3x8r-x6xp-q4vm
- https://nvd.nist.gov/vuln/detail/CVE-2022-23516
- https://github.com/flavorjones/loofah/commit/86f7f6364491b0099d215db858ecdc0c89ded040
- https://github.com/flavorjones/loofah
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/loofah/CVE-2022-23516.yml
- https://lists.debian.org/debian-lts-announce/2023/09/msg00011.html
Affected packages
RubyGems / loofah
Package
- Name
- loofah
- Purl
- pkg:gem/loofah