CVE-2022-28366 — Uncontrolled Resource Consumption in Project Antisamy

CWE-400 — Uncontrolled Resource Consumption7 documents6 sources

Severity

7.5HIGHNVD

GHSA6.5OSV6.5

EPSS

0.2%

top 60.48%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Antisamy Project Antisamy Htmlunit Cyberneko Html Project Cyberneko Html

Timeline

PublishedApr 21

Latest updateDec 12

Description

Certain Neko-related HTML parsers allow a denial of service via crafted Processing Instruction (PI) input that causes excessive heap memory consumption. In particular, this issue exists in HtmlUnit-Neko through 2.26, and is fixed in 2.27. This issue also exists in CyberNeko HTML through 1.9.22 (also affecting OWASP AntiSamy before 1.6.6), but 1.9.22 is the last version of CyberNeko HTML. NOTE: this may be related to CVE-2022-24839.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶NVDcyberneko_html_project/cyberneko_html1.9.22

▶NVDhtmlunit/htmlunit< 2.27

▶NVDantisamy_project/antisamy< 1.6.6

🔴Vulnerability Details

OSV

Denial of service in HtmlUnit-Neko↗2022-04-23

▶

GHSA

Denial of service in HtmlUnit-Neko↗2022-04-23

▶

CVEList

CVE-2022-28366: Certain Neko-related HTML parsers allow a denial of service via crafted Processing Instruction (PI) input that causes excessive heap memory consumptio↗2022-04-21

▶

OSV

CVE-2022-28366: Certain Neko-related HTML parsers allow a denial of service via crafted Processing Instruction (PI) input that causes excessive heap memory consumptio↗2022-04-21

▶

📋Vendor Advisories

Atlassian

CVE-2022-28366: DoS (Denial of Service) net.sourceforge.nekohtml:nekohtml Vulnerability in Jira Service Management Data Center and Serve↗2023-12-12

▶

Debian

CVE-2022-28366: libowasp-antisamy-java - Certain Neko-related HTML parsers allow a denial of service via crafted Processi...↗2022

▶