CVE-2022-23516
published 2022-12-14CVE-2022-23516: Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri. Loofah >= 2.2.0, < 2.19.1 uses…
PriorityP337high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
1.10%
61.6th percentile
Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri. Loofah >= 2.2.0, < 2.19.1 uses recursion for sanitizing CDATA sections, making it susceptible to stack exhaustion and raising a SystemStackError exception. This may lead to a denial of service through CPU resource consumption. This issue is patched in version 2.19.1. Users who are unable to upgrade may be able to mitigate this vulnerability by limiting the length of the strings that are sanitized.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | ruby-loofah | < ruby-loofah 2.19.1-1 (bookworm) | ruby-loofah 2.19.1-1 (bookworm) |
| flavorjones | loofah | — | — |
| loofah_project | loofah | >= 2.2.0 < 2.19.1 | 2.19.1 |
| loofah_project | loofah | >= 2.2.0 < 2.19.1 | 2.19.1 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2022-23516: Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri
osv·2022-12-14·CVSS 7.5
CVE-2022-23516 [HIGH] CVE-2022-23516: Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri
Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri. Loofah >= 2.2.0, < 2.19.1 uses recursion for sanitizing CDATA sections, making it susceptible to stack exhaustion and raising a SystemStackError exception. This may lead to a denial of service through CPU resource consumption. This issue is patched in version 2.19.1. Users who are unable to upgrade may be able to mitigate this vulnerability by limiting the length of the strings that are sanitized.
OSV
Uncontrolled Recursion in Loofah
osv·2022-12-13
CVE-2022-23516 [HIGH] Uncontrolled Recursion in Loofah
Uncontrolled Recursion in Loofah
## Summary
Loofah `>= 2.2.0, = 2.19.1`.
Users who are unable to upgrade may be able to mitigate this vulnerability by limiting the length of the strings that are sanitized.
## Severity
The Loofah maintainers have evaluated this as [High Severity 7.5 (CVSS3.1)](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
## References
- [CWE - CWE-674: Uncontrolled Recursion (4.9)](https://cwe.mitre.org/data/definitions/674.html)
GHSA
Uncontrolled Recursion in Loofah
ghsa·2022-12-13
CVE-2022-23516 [HIGH] CWE-674 Uncontrolled Recursion in Loofah
Uncontrolled Recursion in Loofah
## Summary
Loofah `>= 2.2.0, = 2.19.1`.
Users who are unable to upgrade may be able to mitigate this vulnerability by limiting the length of the strings that are sanitized.
## Severity
The Loofah maintainers have evaluated this as [High Severity 7.5 (CVSS3.1)](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
## References
- [CWE - CWE-674: Uncontrolled Recursion (4.9)](https://cwe.mitre.org/data/definitions/674.html)
Red Hat
rubygem-loofah: Uncontrolled Recursion leading to denial of service
vendor_redhat·2022-12-13·CVSS 7.5
CVE-2022-23516 [HIGH] CWE-674 rubygem-loofah: Uncontrolled Recursion leading to denial of service
rubygem-loofah: Uncontrolled Recursion leading to denial of service
Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri. Loofah >= 2.2.0, < 2.19.1 uses recursion for sanitizing CDATA sections, making it susceptible to stack exhaustion and raising a SystemStackError exception. This may lead to a denial of service through CPU resource consumption. This issue is patched in version 2.19.1. Users who are unable to upgrade may be able to mitigate this vulnerability by limiting the length of the strings that are sanitized.
An uncontrolled recursion vulnerability was found in rubygem loofah. While sanitizing certain sections, loofah is susceptible to stack exhaustion, which can result in a denial of service through CPU resource
Debian
CVE-2022-23516: ruby-loofah - Loofah is a general library for manipulating and transforming HTML/XML documents...
vendor_debian·2022·CVSS 7.5
CVE-2022-23516 [HIGH] CVE-2022-23516: ruby-loofah - Loofah is a general library for manipulating and transforming HTML/XML documents...
Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri. Loofah >= 2.2.0, < 2.19.1 uses recursion for sanitizing CDATA sections, making it susceptible to stack exhaustion and raising a SystemStackError exception. This may lead to a denial of service through CPU resource consumption. This issue is patched in version 2.19.1. Users who are unable to upgrade may be able to mitigate this vulnerability by limiting the length of the strings that are sanitized.
Scope: local
bookworm: resolved (fixed in 2.19.1-1)
bullseye: resolved (fixed in 2.7.0+dfsg-1+deb11u1)
forky: resolved (fixed in 2.19.1-1)
sid: resolved (fixed in 2.19.1-1)
trixie: resolved (fixed in 2.19.1-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/flavorjones/loofah/security/advisories/GHSA-3x8r-x6xp-q4vmhttps://lists.debian.org/debian-lts-announce/2023/09/msg00011.htmlhttps://github.com/flavorjones/loofah/security/advisories/GHSA-3x8r-x6xp-q4vmhttps://lists.debian.org/debian-lts-announce/2023/09/msg00011.htmlhttps://lists.debian.org/debian-lts-announce/2024/09/msg00044.html
2022-12-14
Published