CVE-2022-24836Uncontrolled Resource Consumption in Nokogiri

CWE-400Uncontrolled Resource ConsumptionCWE-1333Regex Denial of Service7 documents6 sources
Severity
7.5HIGHNVD
EPSS
1.3%
top 19.96%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
7
Sparklemotion NokogiriApple MacosNokogiri+4 more
Timeline
PublishedApr 11
Latest updateDec 13

Description

Nokogiri is an open source XML and HTML library for Ruby. Nokogiri `= 1.13.4`. There are no known workarounds for this issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages6 packages

debiandebian/ruby-nokogiri< ruby-nokogiri 1.13.5+dfsg-1 (bookworm)
NVDnokogiri/nokogiri< 1.13.4
RubyGemsnokogiri/nokogiri< 1.13.4
CVEListV5sparklemotion/nokogiri< 1.13.4
NVDapple/macos13.013.1

Also affects: Debian Linux 10.0, 9.0, Fedora 34, 35, 36

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

3
OSV
CVE-2022-24836: Nokogiri is an open source XML and HTML library for Ruby2022-04-11
OSV
Nokogiri Inefficient Regular Expression Complexity2022-04-11
GHSA
Nokogiri Inefficient Regular Expression Complexity2022-04-11

📋Vendor Advisories

3
Apple
CVE-2022-24836: macOS Ventura 13.12022-12-13
Red Hat
nokogiri: ReDoS in HTML encoding detection2022-04-11
Debian
CVE-2022-24836: ruby-nokogiri - Nokogiri is an open source XML and HTML library for Ruby. Nokogiri `< v1.13.4` c...2022