GMS-2022-786: Denial of Service (DoS) in Nokogiri on JRuby
Summary
Nokogiri v1.13.4 updates the vendored org.cyberneko.html library to 1.9.22.noko2 which addresses CVE-2022-24839. That CVE is rated 7.5 (High Severity).
See GHSA-9849-p7jc-9rmv for more information.
Please note that this advisory only applies to the JRuby implementation of Nokogiri < 1.13.4.
Mitigation
Upgrade to Nokogiri >= 1.13.4.
Impact
<a href="https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv" target="_blank" rel="nofollow">CVE-2022-24839</a> in nekohtml
- Severity: High 7.5
- Type: CWE-400 Uncontrolled Resource Consumption
- Description: The fork of
org.cyberneko.htmlused by Nokogiri (Rubygem) raises ajava.lang.OutOfMemoryErrorexception when parsing ill-formed HTML markup. - See also: GHSA-9849-p7jc-9rmv
References
- github.com/advisories/GHSA-gx8x-g87m-h5q6
- github.com/sparklemotion/nekohtml/commit/a800fce3b079def130ed42a408ff1d09f89e773d
- github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv
- github.com/sparklemotion/nokogiri/releases/tag/v1.13.4
- github.com/sparklemotion/nokogiri/security/advisories/GHSA-gx8x-g87m-h5q6
- groups.google.com/g/ruby-security-ann/c/vX7qSjsvWis/m/TJWN4oOKBwAJ
- nvd.nist.gov/vuln/detail/CVE-2022-24839
Code Behaviors & Features
Detect and mitigate GMS-2022-786 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →