cbcvebase.
CVE-2022-28366
published 2022-04-21

CVE-2022-28366: Certain Neko-related HTML parsers allow a denial of service via crafted Processing Instruction (PI) input that causes excessive heap memory consumption. In…

PriorityP338high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
1.97%
77.9th percentile
Certain Neko-related HTML parsers allow a denial of service via crafted Processing Instruction (PI) input that causes excessive heap memory consumption. In particular, this issue exists in HtmlUnit-Neko through 2.26, and is fixed in 2.27. This issue also exists in CyberNeko HTML through 1.9.22 (also affecting OWASP AntiSamy before 1.6.6), but 1.9.22 is the last version of CyberNeko HTML. NOTE: this may be related to CVE-2022-24839.

Affected

6 ranges
VendorProductVersion rangeFixed in
antisamy_projectantisamy< 1.6.61.6.6
atlassianjira_service_management
cyberneko_html_projectcyberneko_html<= 1.9.22
debianlibowasp-antisamy-java< libowasp-antisamy-java 1.7.4-1 (forky)libowasp-antisamy-java 1.7.4-1 (forky)
htmlunithtmlunit< 2.61.02.61.0
htmlunithtmlunit< 2.272.27

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
ghsa6.5MEDIUM
osv7.5HIGH
vendor_debian7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.