CVE-2022-23514
published 2022-12-14CVE-2022-23514: Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri. Loofah < 2.19.1 contains an…
PriorityP338high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
1.69%
74.1th percentile
Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri. Loofah < 2.19.1 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption. This issue is patched in version 2.19.1.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | ruby-loofah | < ruby-loofah 2.19.1-1 (bookworm) | ruby-loofah 2.19.1-1 (bookworm) |
| flavorjones | loofah | < 2.19.1 | 2.19.1 |
| loofah_project | loofah | < 2.19.1 | 2.19.1 |
| loofah_project | loofah | >= 0 < 2.19.1 | 2.19.1 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2022-23514: Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri
osv·2022-12-14·CVSS 7.5
CVE-2022-23514 [HIGH] CVE-2022-23514: Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri
Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri. Loofah < 2.19.1 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption. This issue is patched in version 2.19.1.
GHSA
Inefficient Regular Expression Complexity in Loofah
ghsa·2022-12-13
CVE-2022-23514 [HIGH] CWE-1333 Inefficient Regular Expression Complexity in Loofah
Inefficient Regular Expression Complexity in Loofah
## Summary
Loofah `= 2.19.1`.
## Severity
The Loofah maintainers have evaluated this as [High Severity 7.5 (CVSS3.1)](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
## References
- [CWE - CWE-1333: Inefficient Regular Expression Complexity (4.9)](https://cwe.mitre.org/data/definitions/1333.html)
- https://hackerone.com/reports/1684163
## Credit
This vulnerability was responsibly reported by @ooooooo-q (https://github.com/ooooooo-q).
OSV
Inefficient Regular Expression Complexity in Loofah
osv·2022-12-13
CVE-2022-23514 [HIGH] Inefficient Regular Expression Complexity in Loofah
Inefficient Regular Expression Complexity in Loofah
## Summary
Loofah `= 2.19.1`.
## Severity
The Loofah maintainers have evaluated this as [High Severity 7.5 (CVSS3.1)](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
## References
- [CWE - CWE-1333: Inefficient Regular Expression Complexity (4.9)](https://cwe.mitre.org/data/definitions/1333.html)
- https://hackerone.com/reports/1684163
## Credit
This vulnerability was responsibly reported by @ooooooo-q (https://github.com/ooooooo-q).
Red Hat
rubygem-loofah: inefficient regular expression leading to denial of service
vendor_redhat·2022-12-13·CVSS 7.5
CVE-2022-23514 [HIGH] CWE-1333 rubygem-loofah: inefficient regular expression leading to denial of service
rubygem-loofah: inefficient regular expression leading to denial of service
Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri. Loofah < 2.19.1 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption. This issue is patched in version 2.19.1.
An inefficient regular expression vulnerability was found in rubygem loofah. While sanitizing certain SVG attributes, loofah is susceptible to excessive backtracking, which can result in a denial of service through CPU resource consumption.
Package: 3scale-amp-zync-container (Red Hat 3scale API Management Platform 2) - Will not
Debian
CVE-2022-23514: ruby-loofah - Loofah is a general library for manipulating and transforming HTML/XML documents...
vendor_debian·2022·CVSS 7.5
CVE-2022-23514 [HIGH] CVE-2022-23514: ruby-loofah - Loofah is a general library for manipulating and transforming HTML/XML documents...
Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri. Loofah < 2.19.1 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption. This issue is patched in version 2.19.1.
Scope: local
bookworm: resolved (fixed in 2.19.1-1)
bullseye: resolved (fixed in 2.7.0+dfsg-1+deb11u1)
forky: resolved (fixed in 2.19.1-1)
sid: resolved (fixed in 2.19.1-1)
trixie: resolved (fixed in 2.19.1-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhhhttps://hackerone.com/reports/1684163https://lists.debian.org/debian-lts-announce/2023/09/msg00011.htmlhttps://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhhhttps://hackerone.com/reports/1684163https://lists.debian.org/debian-lts-announce/2023/09/msg00011.htmlhttps://lists.debian.org/debian-lts-announce/2024/09/msg00044.html
2022-12-14
Published