CVE-2022-24836

Опубликовано: 11 апр. 2022

Источник: nvd

CVSS3: 7.5

CVSS2: 5

EPSS Низкий

Описание

Nokogiri is an open source XML and HTML library for Ruby. Nokogiri < v1.13.4 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Users are advised to upgrade to Nokogiri >= 1.13.4. There are no known workarounds for this issue.

Ссылки

http://seclists.org/fulldisclosure/2022/Dec/23
Mailing List
Third Party Advisory
https://github.com/sparklemotion/nokogiri/commit/e444525ef1634b675cd1cf52d39f4320ef0aecfd
Patch
Third Party Advisory
https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-crjr-9rc5-ghw8
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/05/msg00013.html
Mailing List
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html
Mailing List
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6DHCOWMA5PQTIQIMDENA7R2Y5BDYAIYM/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OUPLBUZVM4WPFSXBEP2JS3R6LMKRTLFC/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XMDCWRQXJQ3TFSETPCEFMQ6RR6ME5UA3/
https://security.gentoo.org/glsa/202208-29
Third Party Advisory
https://support.apple.com/kb/HT213532
Third Party Advisory
http://seclists.org/fulldisclosure/2022/Dec/23
Mailing List
Third Party Advisory
https://github.com/sparklemotion/nokogiri/commit/e444525ef1634b675cd1cf52d39f4320ef0aecfd
Patch
Third Party Advisory
https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-crjr-9rc5-ghw8
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/05/msg00013.html
Mailing List
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html
Mailing List
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/09/msg00010.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6DHCOWMA5PQTIQIMDENA7R2Y5BDYAIYM/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OUPLBUZVM4WPFSXBEP2JS3R6LMKRTLFC/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XMDCWRQXJQ3TFSETPCEFMQ6RR6ME5UA3/
https://security.gentoo.org/glsa/202208-29
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:nokogiri:nokogiri:*:*:*:*:*:ruby:*:*

Версия до 1.13.4 (исключая)

Конфигурация 2

Одно из

cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*

Конфигурация 3

Одно из

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Конфигурация 4

cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*

Версия от 13.0 (включая) до 13.1 (исключая)

EPSS

Процентиль: 77%

0.01055

Низкий

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-400

CWE-1333

Связанные уязвимости

CVE-2022-24836

CVSS3: 7.5

ubuntu

около 3 лет назад

Nokogiri is an open source XML and HTML library for Ruby. Nokogiri `< v1.13.4` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Users are advised to upgrade to Nokogiri `>= 1.13.4`. There are no known workarounds for this issue.

CVE-2022-24836

CVSS3: 7.5

redhat

около 3 лет назад

CVE-2022-24836

CVSS3: 7.5

debian

около 3 лет назад

Nokogiri is an open source XML and HTML library for Ruby. Nokogiri `< ...

GHSA-crjr-9rc5-ghw8

CVSS3: 7.5

github

около 3 лет назад

Nokogiri Inefficient Regular Expression Complexity

BDU:2022-06047

CVSS3: 7.5

fstec

около 3 лет назад

Уязвимость программной библиотеки Nokogiri, связанная с неконтролируемым расходом ресурсов, позволяющая нарушителю вызвать отказ в обслуживании

EPSS

Процентиль: 77%

0.01055

Низкий

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-400

CWE-1333