Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS02am1tLW1wNnctNHJyZ81BKg
OutOfMemory Exception by specifically crafted processing instruction in NekoHtml Parser
Impact
NekoHtml Parser suffers from a denial of service vulnerability on versions 2.60.0 and below. A specifically crafted input regarding the parsing of processing instructions leads to heap memory consumption. Please update to version 2.61.0.
For more information
If you have any questions or comments about this advisory:
- Open an issue in https://github.com/HtmlUnit/htmlunit-neko
- Email us at [rbri at rbri.de]
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02am1tLW1wNnctNHJyZ81BKg
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 2 years ago
Updated: over 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-6jmm-mp6w-4rrg, CVE-2022-29546
References:
- https://github.com/HtmlUnit/htmlunit-neko/security/advisories/GHSA-6jmm-mp6w-4rrg
- https://nvd.nist.gov/vuln/detail/CVE-2022-29546
- https://github.com/HtmlUnit/htmlunit-neko/commit/9d2aecd69223469e40c12ca3edddda09009110cc
- https://github.com/advisories/GHSA-6jmm-mp6w-4rrg
Blast Radius: 14.9
Affected Packages
maven:net.sourceforge.htmlunit:neko-htmlunit
Dependent packages: 27Dependent repositories: 97
Downloads:
Affected Version Ranges: < 2.61.0
Fixed in: 2.61.0
All affected versions: 2.34.0, 2.35.0, 2.36.0, 2.37.0, 2.38.0, 2.39.0, 2.40.0, 2.41.0, 2.42.0, 2.43.0, 2.44.0, 2.45.0, 2.46.0, 2.47.0, 2.47.1, 2.48.0, 2.49.0, 2.50.0, 2.51.0, 2.52.0, 2.53.0, 2.54.0, 2.55.0, 2.56.0, 2.57.0, 2.58.0, 2.59.0, 2.60.0
All unaffected versions: 2.61.0, 2.62.0, 2.63.0, 2.64.0, 2.65.0, 2.66.0, 2.67.0, 2.68.0, 2.69.0, 2.70.0