Incorrect Regular Expression in Nokogiri - CVE-2022-24836
Published: June 12, 2022
Vulnerability identifier: #VU64190
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2022-24836
CWE-ID: CWE-185
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: nokogiri.org
Affected software:
Nokogiri
Nokogiri
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to usage of an incorrect regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. A remote attacker can bypass implemented restrictions.
How to mitigate CVE-2022-24836
Install updates from vendor's website.
Sources
- https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-crjr-9rc5-ghw8
- https://github.com/sparklemotion/nokogiri/commit/e444525ef1634b675cd1cf52d39f4320ef0aecfd
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XMDCWRQXJQ3TFSETPCEFMQ6RR6ME5UA3/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OUPLBUZVM4WPFSXBEP2JS3R6LMKRTLFC/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DHCOWMA5PQTIQIMDENA7R2Y5BDYAIYM/
- https://lists.debian.org/debian-lts-announce/2022/05/msg00013.html