CVE-2017-13692 — Improper Input Validation in Tidy

CWE-20 — Improper Input Validation7 documents5 sources

Severity

7.5HIGHNVD

EPSS

0.3%

top 50.90%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Htacg Tidy Debian Tidy-html5

Timeline

PublishedAug 25

Latest updateMay 17

Description

In Tidy 5.5.31, the IsURLCodePoint function in attrs.c allows attackers to cause a denial of service (Segmentation Fault), as demonstrated by an invalid ISALNUM argument.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDhtacg/tidy5.5.31

▶debiandebian/tidy-html5

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-p4rg-78qv-f5g4: In Tidy 5↗2022-05-17

▶

📋Vendor Advisories

Red Hat

tidy: Segfault due to out-of-bounds read in ISURLCodePoint function↗2017-08-24

▶

Debian

CVE-2017-13692: tidy-html5 - In Tidy 5.5.31, the IsURLCodePoint function in attrs.c allows attackers to cause...↗2017

▶

💬Community

Bugzilla

CVE-2017-13692 CVE-2017-17497 tidy: various flaws [epel-7]↗2017-08-28

▶

Bugzilla

CVE-2017-13692 CVE-2017-17497 tidy: various flaws [fedora-all]↗2017-08-28

▶

Bugzilla

CVE-2017-13692 tidy: Segfault due to out-of-bounds read in ISURLCodePoint function↗2017-08-28

▶