Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
7.5
CVSSv3

CVE-2022-24839

Published: 11/04/2022 Updated: 23/02/2023
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9
VMScore: 445
Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
Subscribe to Nekohtml Project

Vulnerability Summary

org.cyberneko.html is an html parser written in Java. The fork of `org.cyberneko.html` used by Nokogiri (Rubygem) raises a `java.lang.OutOfMemoryError` exception when parsing ill-formed HTML markup. Users are advised to upgrade to `>= 1.9.22.noko2`. Note: The upstream library `org.cyberneko.html` is no longer maintained. Nokogiri uses its own fork of this library located at github.com/sparklemotion/nekohtml and this CVE applies only to that fork. Other forks of nekohtml may have a similar vulnerability.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

nekohtml project nekohtml

oracle weblogic server 12.2.1.3.0

oracle weblogic server 12.2.1.4.0

oracle weblogic server 14.1.1.0.0

Vendor Advisories

Debian CVElist Bug Report Logs: nekohtml: CVE-2022-24839
Debian Bug report logs - #1021739 nekohtml: CVE-2022-24839 Package: src:nekohtml; Maintainer for src:nekohtml is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Reported by: Moritz Mühlenhoff <jmm@inutilorg> Date: Thu, 13 Oct 2022 19:21:01 UTC Severity: grave Tags: security, upstream R ...
Red Hat:
orgcybernekohtml is an html parser written in Java The fork of `orgcybernekohtml` used by Nokogiri (Rubygem) raises a `javalangOutOfMemoryError` exception when parsing ill-formed HTML markup Users are advised to upgrade to `>= 1922noko2` Note: The upstream library `orgcybernekohtml` is no longer maintained Nokogiri uses its own fo ...

Github Repositories

https://github.com/knewbury01/codeql-workshop-nekohtml

CodeQL workshop - Investigating CVE-2022-24839 We will be investigating CVE-2022-24839 in this workshop Setup: Using CLI version 290 and CodeQL lib version 290 If you are on OSX, after downloading the CLI and library, you will need to clear the extra attributes set on the zips using the following: xattr -c *zip Database creation: Pre-made databases can be downloaded from

References

CWE-400https://github.com/sparklemotion/nekohtml/commit/a800fce3b079def130ed42a408ff1d09f89e773dhttps://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmvhttps://www.oracle.com/security-alerts/cpujul2022.htmlhttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021739https://nvd.nist.govhttps://access.redhat.com/security/cve/cve-2022-24839
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
XXECVE-2024-34490SQL injectionCVE-2024-34488CVE-2024-4507CVE-2023-7028CVE-2024-23187TCPCVE-2024-4439
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook