Bug 2074340 (CVE-2022-24839) - CVE-2022-24839 nokogiri: Uncontrolled Resource Consumption in org.cyberneko.html (nokogiri fork)
Summary: CVE-2022-24839 nokogiri: Uncontrolled Resource Consumption in org.cyberneko.h...
Alias: CVE-2022-24839
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 2074341 2074342 Red Hat2074777 Red Hat2074778 Red Hat2074779 Red Hat2075226
Blocks: Embargoed2074343
TreeView+ depends on / blocked
Reported: 2022-04-12 04:35 UTC by Avinash Hanwate
Modified: 2022-07-07 11:54 UTC (History)
30 users (show)

Fixed In Version: rubygem-nokogiri 1.9.22.noko2
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the nokogiri library when processing an ill-formed HTML markup. This flaw allows an attacker to cause uncontrolled resource consumption, which affects performance.
Clone Of:
Last Closed: 2022-06-01 12:33:29 UTC

Attachments (Terms of Use)

Description Avinash Hanwate 2022-04-12 04:35:08 UTC
org.cyberneko.html is an html parser written in Java. The fork of `org.cyberneko.html` used by Nokogiri (Rubygem) raises a `java.lang.OutOfMemoryError` exception when parsing ill-formed HTML markup. Users are advised to upgrade to `>= 1.9.22.noko2`. 

Note: The upstream library `org.cyberneko.html` is no longer maintained. Nokogiri uses its own fork of this library located at https://github.com/sparklemotion/nekohtml and this CVE applies only to that fork. Other forks of nekohtml may have a similar vulnerability.


Comment 1 Avinash Hanwate 2022-04-12 04:35:47 UTC
Created rubygem-nokogiri tracking bugs for this issue:

Affects: epel-all [bug 2074341]
Affects: fedora-all [bug 2074342]

Comment 4 Jun Aruga 2022-06-01 12:33:29 UTC
I think the rubygem-nokogiri RPM doesn't ship the Java part at least on Fedora package. We can just close this ticket.
> rm -rf .%{gem_instdir}/ext/java

Note You need to log in before you can comment on or make changes to this bug.