GHSA-9849-p7jc-9rmv

Suggest an improvement
Source
https://github.com/advisories/GHSA-9849-p7jc-9rmv
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-9849-p7jc-9rmv/GHSA-9849-p7jc-9rmv.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-9849-p7jc-9rmv
Aliases
Published
2023-06-22T19:58:54Z
Modified
2023-11-01T04:58:10.545301Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
org.nokogiri:nekohtml vulnerable to Uncontrolled Resource Consumption
Details

Summary

The fork of org.cyberneko.html used by Nokogiri (Rubygem) raises a java.lang.OutOfMemoryError exception when parsing ill-formed HTML markup.

Severity

The maintainers have evaluated this as High Severity 7.5 (CVSS3.1).

Mitigation

Upgrade to >= 1.9.22.noko2.

Credit

This vulnerability was reported by 이형관 (windshock).

References

CWE-400 Uncontrolled Resource Consumption

Notes

The upstream library org.cyberneko.html is no longer maintained. Nokogiri uses its own fork of this library located at https://github.com/sparklemotion/nekohtml and this CVE applies only to that fork. Other forks of nekohtml may have a similar vulnerability.

References

Affected packages

Maven / org.nokogiri:nekohtml

Package

Name
org.nokogiri:nekohtml
View open source insights on deps.dev
Purl
pkg:maven/org.nokogiri/nekohtml

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.9.22.noko2