2074346 – (CVE-2022-24836) CVE-2022-24836 nokogiri: ReDoS in HTML encoding detection

Bug 2074346 (CVE-2022-24836) - CVE-2022-24836 nokogiri: ReDoS in HTML encoding detection

Summary: CVE-2022-24836 nokogiri: ReDoS in HTML encoding detection

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2022-24836
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2074347 2074348 2074362 2074774 2074775 2074776
Blocks:	2074349
TreeView+	depends on / blocked

Reported:	2022-04-12 04:47 UTC by Avinash Hanwate
Modified:	2022-12-07 09:02 UTC (History)
CC List:	36 users (show)
Fixed In Version:	nokogiri 1.13.4
Clone Of:
Environment:
Last Closed:	2022-12-07 09:02:51 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2022:8506	0	None	None	None	2022-11-16 13:32:14 UTC

Description Avinash Hanwate 2022-04-12 04:47:18 UTC

Nokogiri is an open source XML and HTML library for Ruby. Nokogiri `< v1.13.4` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Users are advised to upgrade to Nokogiri `>= 1.13.4`. There are no known workarounds for this issue.

https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-crjr-9rc5-ghw8
https://github.com/sparklemotion/nokogiri/commit/e444525ef1634b675cd1cf52d39f4320ef0aecfd

Comment 1 Avinash Hanwate 2022-04-12 04:47:50 UTC

Created rubygem-nokogiri tracking bugs for this issue:

Affects: epel-all [bug 2074347]
Affects: fedora-all [bug 2074348]

Comment 7 errata-xmlrpc 2022-11-16 13:32:11 UTC

This issue has been addressed in the following products:

  Red Hat Satellite 6.12 for RHEL 8

Via RHSA-2022:8506 https://access.redhat.com/errata/RHSA-2022:8506

Comment 8 Product Security DevOps Team 2022-12-07 09:02:48 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-24836

Note You need to log in before you can comment on or make changes to this bug.

akarol
bbuckingham
bcourt
btotty
caswilli
dhalasz
dmetzger
ehelms
extras-orphan
gmccullo
gtanzill
jfrey
jhardy
jsherril
jwong
kaycoth
kshier
lzap
mhulan
mtasaka
myarboro
nmoumoul
obarenbo
orabin
pcreech
pvalena
rchan
roliveri
ruby-maint
simaishi
smallamp
sthirugn
vanmeeuwen+fedora
vkrizan
vmugicag
vondruch