CVE-2022-28366

Опубликовано: 21 апр. 2022

Источник: nvd

CVSS3: 7.5

CVSS2: 5

EPSS Низкий

Описание

Certain Neko-related HTML parsers allow a denial of service via crafted Processing Instruction (PI) input that causes excessive heap memory consumption. In particular, this issue exists in HtmlUnit-Neko through 2.26, and is fixed in 2.27. This issue also exists in CyberNeko HTML through 1.9.22 (also affecting OWASP AntiSamy before 1.6.6), but 1.9.22 is the last version of CyberNeko HTML. NOTE: this may be related to CVE-2022-24839.

Ссылки

https://github.com/nahsra/antisamy/releases/tag/v1.6.6
Release Notes
Third Party Advisory
https://search.maven.org/artifact/net.sourceforge.htmlunit/neko-htmlunit
Release Notes
Third Party Advisory
https://sourceforge.net/projects/htmlunit/files/htmlunit/2.27/
Release Notes
Third Party Advisory
https://github.com/nahsra/antisamy/releases/tag/v1.6.6
Release Notes
Third Party Advisory
https://search.maven.org/artifact/net.sourceforge.htmlunit/neko-htmlunit
Release Notes
Third Party Advisory
https://sourceforge.net/projects/htmlunit/files/htmlunit/2.27/
Release Notes
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:cyberneko_html_project:cyberneko_html:*:*:*:*:*:*:*:*

Версия до 1.9.22 (включая)

cpe:2.3:a:htmlunit:htmlunit:*:*:*:*:*:*:*:*

Версия до 2.27 (исключая)

Конфигурация 2

cpe:2.3:a:antisamy_project:antisamy:*:*:*:*:*:*:*:*

Версия до 1.6.6 (исключая)

EPSS

Процентиль: 40%

0.00179

Низкий

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

NVD-CWE-noinfo

Связанные уязвимости

CVE-2022-28366

CVSS3: 7.5

ubuntu

почти 4 года назад

CVE-2022-28366

CVSS3: 7.5

debian

почти 4 года назад

Certain Neko-related HTML parsers allow a denial of service via crafte ...

GHSA-g9hh-vvx3-v37v

CVSS3: 7.5

github

почти 4 года назад

Denial of service in HtmlUnit-Neko

EPSS

Процентиль: 40%

0.00179

Низкий

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

NVD-CWE-noinfo