Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-23516

Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri. Loofah >= 2.2.0, < 2.19.1 uses recursion for sanitizing CDATA sections, making it susceptible to stack exhaustion and raising a SystemStackError exception. This may lead to a denial of service through CPU resource consumption. This issue is patched in version 2.19.1. Users who are unable to upgrade may be able to mitigate this vulnerability by limiting the length of the strings that are sanitized.

Published

2022-12-14T14:15:10.627

Last Modified

2024-11-21T06:48:43.687

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.5 (HIGH)

Weaknesses

Type: Primary
CWE-674

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	loofah_project	loofah	< 2.19.1	Yes

References

https://github.com/flavorjones/loofah/security/advisories/GHSA-3x8r-x6xp-q4vm Third Party Advisory ([email protected])
https://lists.debian.org/debian-lts-announce/2023/09/msg00011.html ([email protected])
https://github.com/flavorjones/loofah/security/advisories/GHSA-3x8r-x6xp-q4vm Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2023/09/msg00011.html (af854a3a-2127-422b-91ae-364da2661108)