CVE-2022-24839

org.cyberneko.html is an html parser written in Java. The fork of org.cyberneko.html used by Nokogiri (Rubygem) raises a java.lang.OutOfMemoryError exception when parsing ill-formed HTML markup. Users are advised to upgrade to >= 1.9.22.noko2. Note: The upstream library org.cyberneko.html is no longer maintained. Nokogiri uses its own fork of this library located at https://github.com/sparklemotion/nekohtml and this CVE applies only to that fork. Other forks of nekohtml may have a similar vulnerability.

Published: Apr 12, 2022
Updated: May 9, 2024
CVE: CVE-2022-24839
GHSA: GHSA-9849-p7jc-9rmv
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:N/A:P

CWEs:

CWE-400

Affected Software
References

Software	From	Fixed in
nekohtml_project / nekohtml	-	1.9.22.noko2
oracle / weblogic_server	12.2.1.3.0	12.2.1.3.0.x
oracle / weblogic_server	12.2.1.4.0	12.2.1.4.0.x
oracle / weblogic_server	14.1.1.0.0	14.1.1.0.0.x
org.nokogiri / nekohtml	-	1.9.22.noko2

Vulnerability Database

CVE-2022-24839

Deep Security Visibility Without the Complexity