CVE-2022-28366
published 2022-04-21CVE-2022-28366: Certain Neko-related HTML parsers allow a denial of service via crafted Processing Instruction (PI) input that causes excessive heap memory consumption. In…
PriorityP338high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
1.97%
77.9th percentile
Certain Neko-related HTML parsers allow a denial of service via crafted Processing Instruction (PI) input that causes excessive heap memory consumption. In particular, this issue exists in HtmlUnit-Neko through 2.26, and is fixed in 2.27. This issue also exists in CyberNeko HTML through 1.9.22 (also affecting OWASP AntiSamy before 1.6.6), but 1.9.22 is the last version of CyberNeko HTML. NOTE: this may be related to CVE-2022-24839.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| antisamy_project | antisamy | < 1.6.6 | 1.6.6 |
| atlassian | jira_service_management | — | — |
| cyberneko_html_project | cyberneko_html | <= 1.9.22 | — |
| debian | libowasp-antisamy-java | < libowasp-antisamy-java 1.7.4-1 (forky) | libowasp-antisamy-java 1.7.4-1 (forky) |
| htmlunit | htmlunit | < 2.61.0 | 2.61.0 |
| htmlunit | htmlunit | < 2.27 | 2.27 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
ghsa6.5MEDIUM
osv7.5HIGH
vendor_debian7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Atlassian
CVE-2022-28366: DoS (Denial of Service) net.sourceforge.nekohtml:nekohtml Vulnerability in Jira Service Management Data Center and Serve
vendor_atlassian·2023-12-12·CVSS 7.5
CVE-2022-28366 [HIGH] CVE-2022-28366: DoS (Denial of Service) net.sourceforge.nekohtml:nekohtml Vulnerability in Jira Service Management Data Center and Serve
CVE-2022-28366: DoS (Denial of Service) net.sourceforge.nekohtml:nekohtml Vulnerability in Jira Service Management Data Center and Serve
DoS (Denial of Service) net.sourceforge.nekohtml:nekohtml Vulnerability in Jira Service Management Data Center and Server
CVE: CVE-2022-28366
Severity: HIGH
Affected products: Jira Service Management
Debian
CVE-2022-28366: libowasp-antisamy-java - Certain Neko-related HTML parsers allow a denial of service via crafted Processi...
vendor_debian·2022·CVSS 7.5
CVE-2022-28366 [HIGH] CVE-2022-28366: libowasp-antisamy-java - Certain Neko-related HTML parsers allow a denial of service via crafted Processi...
Certain Neko-related HTML parsers allow a denial of service via crafted Processing Instruction (PI) input that causes excessive heap memory consumption. In particular, this issue exists in HtmlUnit-Neko through 2.26, and is fixed in 2.27. This issue also exists in CyberNeko HTML through 1.9.22 (also affecting OWASP AntiSamy before 1.6.6), but 1.9.22 is the last version of CyberNeko HTML. NOTE: this may be related to CVE-2022-24839.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 1.7.4-1)
sid: resolved (fixed in 1.7.4-1)
trixie: resolved (fixed in 1.7.4-1)
OSV
Denial of service in HtmlUnit-Neko
osv·2022-04-23·CVSS 6.5
CVE-2022-28366 [MEDIUM] Denial of service in HtmlUnit-Neko
Denial of service in HtmlUnit-Neko
Certain Neko-related HTML parsers allow a denial of service via crafted Processing Instruction (PI) input that causes excessive heap memory consumption. In particular, this issue exists in HtmlUnit-Neko through 2.26, and is fixed in 2.27. This issue also exists in CyberNeko HTML through 1.9.22 (also affecting OWASP AntiSamy before 1.6.6), but 1.9.22 is the last version of CyberNeko HTML. NOTE: this may be related to CVE-2022-24939.
GHSA
Denial of service in HtmlUnit-Neko
ghsa·2022-04-23·CVSS 6.5
CVE-2022-28366 [MEDIUM] Denial of service in HtmlUnit-Neko
Denial of service in HtmlUnit-Neko
Certain Neko-related HTML parsers allow a denial of service via crafted Processing Instruction (PI) input that causes excessive heap memory consumption. In particular, this issue exists in HtmlUnit-Neko through 2.26, and is fixed in 2.27. This issue also exists in CyberNeko HTML through 1.9.22 (also affecting OWASP AntiSamy before 1.6.6), but 1.9.22 is the last version of CyberNeko HTML. NOTE: this may be related to CVE-2022-24939.
OSV
CVE-2022-28366: Certain Neko-related HTML parsers allow a denial of service via crafted Processing Instruction (PI) input that causes excessive heap memory consumptio
osv·2022-04-21·CVSS 7.5
CVE-2022-28366 [HIGH] CVE-2022-28366: Certain Neko-related HTML parsers allow a denial of service via crafted Processing Instruction (PI) input that causes excessive heap memory consumptio
Certain Neko-related HTML parsers allow a denial of service via crafted Processing Instruction (PI) input that causes excessive heap memory consumption. In particular, this issue exists in HtmlUnit-Neko through 2.26, and is fixed in 2.27. This issue also exists in CyberNeko HTML through 1.9.22 (also affecting OWASP AntiSamy before 1.6.6), but 1.9.22 is the last version of CyberNeko HTML. NOTE: this may be related to CVE-2022-24839.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/nahsra/antisamy/releases/tag/v1.6.6https://search.maven.org/artifact/net.sourceforge.htmlunit/neko-htmlunithttps://sourceforge.net/projects/htmlunit/files/htmlunit/2.27/https://github.com/nahsra/antisamy/releases/tag/v1.6.6https://search.maven.org/artifact/net.sourceforge.htmlunit/neko-htmlunithttps://sourceforge.net/projects/htmlunit/files/htmlunit/2.27/
2022-04-21
Published