CVE-2022-24839
published 2022-04-11CVE-2022-24839: org.cyberneko.html is an html parser written in Java. The fork of `org.cyberneko.html` used by Nokogiri (Rubygem) raises a `java.lang.OutOfMemoryError`…
high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
org.cyberneko.html is an html parser written in Java. The fork of `org.cyberneko.html` used by Nokogiri (Rubygem) raises a `java.lang.OutOfMemoryError` exception when parsing ill-formed HTML markup. Users are advised to upgrade to `>= 1.9.22.noko2`. Note: The upstream library `org.cyberneko.html` is no longer maintained. Nokogiri uses its own fork of this library located at https://github.com/sparklemotion/nekohtml and this CVE applies only to that fork. Other forks of nekohtml may have a similar vulnerability.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| antisamy_project | antisamy | < 1.6.6 | 1.6.6 |
| atlassian | jira_service_management | — | — |
| cyberneko_html_project | cyberneko_html | <= 1.9.22 | — |
| debian | libowasp-antisamy-java | < libowasp-antisamy-java 1.7.4-1 (forky) | libowasp-antisamy-java 1.7.4-1 (forky) |
| debian | nekohtml | < nekohtml 1.9.22.noko2-0.1 (bookworm) | nekohtml 1.9.22.noko2-0.1 (bookworm) |
| htmlunit | htmlunit | < 2.27 | 2.27 |
| nekohtml_project | nekohtml | < 1.9.22.noko2 | 1.9.22.noko2 |
| nekohtml_project | nekohtml | >= 0 < 1.9.22.noko2-0.1 | 1.9.22.noko2-0.1 |
| nekohtml_project | nekohtml | >= 0 < 1.9.22.noko2-0.1 | 1.9.22.noko2-0.1 |
| nekohtml_project | nekohtml | >= 0 < 1.9.22.noko2-0.1 | 1.9.22.noko2-0.1 |
| nokogiri | nokogiri | >= 0 < 1.13.4 | 1.13.4 |
| oracle | weblogic_server | — | — |
| oracle | weblogic_server | — | — |
| oracle | weblogic_server | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
ghsa7.5HIGH
osv7.5HIGH