2074346 – (CVE-2022-24836) CVE-2022-24836 nokogiri: ReDoS in HTML encoding detection

Bug 2074346 (CVE-2022-24836) - CVE-2022-24836 nokogiri: ReDoS in HTML encoding detection

Summary: CVE-2022-24836 nokogiri: ReDoS in HTML encoding detection

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2022-24836
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2074347 2074348 2074362 2074774 2074775 2074776
Blocks:	2074349
TreeView+	depends on / blocked

Reported:	2022-04-12 04:47 UTC by Avinash Hanwate
Modified:	2022-12-07 09:02 UTC (History)
CC List:	36 users (show)
Fixed In Version:	nokogiri 1.13.4
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the nokogiri library when processing an inefficient and complex regular expression. This flaw allows an attacker to cause excessive consumption of resources, which affects performance.
Clone Of:
Environment:
Last Closed:	2022-12-07 09:02:51 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2022:8506	0	None	None	None	2022-11-16 13:32:14 UTC

Description Avinash Hanwate 2022-04-12 04:47:18 UTC

Nokogiri is an open source XML and HTML library for Ruby. Nokogiri `< v1.13.4` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Users are advised to upgrade to Nokogiri `>= 1.13.4`. There are no known workarounds for this issue.

https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-crjr-9rc5-ghw8
https://github.com/sparklemotion/nokogiri/commit/e444525ef1634b675cd1cf52d39f4320ef0aecfd

Comment 1 Avinash Hanwate 2022-04-12 04:47:50 UTC

Created rubygem-nokogiri tracking bugs for this issue:

Affects: epel-all [bug 2074347]
Affects: fedora-all [bug 2074348]

Comment 7 errata-xmlrpc 2022-11-16 13:32:11 UTC

This issue has been addressed in the following products:

  Red Hat Satellite 6.12 for RHEL 8

Via RHSA-2022:8506 https://access.redhat.com/errata/RHSA-2022:8506

Comment 8 Product Security DevOps Team 2022-12-07 09:02:48 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-24836

Note You need to log in before you can comment on or make changes to this bug.

akarol
bbuckingham
bcourt
btotty
caswilli
dhalasz
dmetzger
ehelms
extras-orphan
gmccullo
gtanzill
jfrey
jhardy
jsherril
jwong
kaycoth
kshier
lzap
mhulan
mtasaka
myarboro
nmoumoul
obarenbo
orabin
pcreech
pvalena
rchan
roliveri
ruby-maint
simaishi
smallamp
sthirugn
vanmeeuwen+fedora
vkrizan
vmugicag
vondruch