CVE-2022-24839

org.cyberneko.html is an html parser written in Java. The fork of org.cyberneko.html used by Nokogiri (Rubygem) raises a java.lang.OutOfMemoryError exception when parsing ill-formed HTML markup. Users are advised to upgrade to >= 1.9.22.noko2. Note: The upstream library org.cyberneko.html is no longer maintained. Nokogiri uses its own fork of this library located at https://github.com/sparklemotion/nekohtml and this CVE applies only to that fork. Other forks of nekohtml may have a similar vulnerability.

Weakness

The product does not properly control the allocation and maintenance of a limited resource.

Affected Software

Potential Mitigations

• Mitigation of resource exhaustion attacks requires that the target system either:

• The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.

• The second solution is simply difficult to effectively institute – and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.

Related Attack Patterns

• https://cwe.mitre.org/data/definitions/147.html
• https://cwe.mitre.org/data/definitions/227.html
• https://cwe.mitre.org/data/definitions/492.html

References

• https://github.com/sparklemotion/nekohtml/commit/a800fce3b079def130ed42a408ff1d09f89e773d
• https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv
• https://www.oracle.com/security-alerts/cpujul2022.html
• https://github.com/sparklemotion/nekohtml/commit/a800fce3b079def130ed42a408ff1d09f89e773d
• https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv
• https://www.oracle.com/security-alerts/cpujul2022.html