CVE-2022-24839 - Denial of Service (DoS)
Severity: High2022-10-13
Abstract
The nekohtml package is vulnerable to Denial of Service due to Uncontrolled Resource Consumption. The scanPI() function in the HTMLScanner class mishandles the parsing of a processing instruction while scanning a document. An attacker can leverage this behavior using a specially-crafted HTML composition, which has a ? or / character at the end of the processed instruction, to cause an infinite loop that appends a byte in a buffer in every cycle, causing a java.lang.OutOfMemoryError exception.
The Oxygen products incorporate nekohtml as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
Affected Products/Versions
Product | Severity | Fixed Release Availability |
Oxygen XML Author v24.1 and older | High | Oxygen XML Author 24.1 build 2022062007 |
Oxygen XML Developer v24.1 and older | High | Oxygen XML Developer 24.1 build 2022062007 |
Oxygen XML Editor v24.1 and older | High | Oxygen XML Editor 24.1 build 2022062007 |
Oxygen XML Web Author v24.1 and older | High | Oxygen XML Web Author 24.1 build 2022070522 |
Oxygen Content Fusion v4.1.6 and older | High | Oxygen Content Fusion 5.0 build 2022092005 |
Oxygen PDF Chemistry v24.1 and older | High | Oxygen Publishing Engine 24.1 build 2022062023 |
Detail
CVE-2022-24839
Severity: High
CVSS Score: 7.5
The nekohtml third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-24839 vulnerability description.
Starting with Oxygen XML Web Author v24.1 build 2022070522 nekohtml library was updated to a non-vulnerable version.
Starting with Oxygen XML Author v24.1 build 2022062007 nekohtml library was updated to a non-vulnerable version.
Starting with Oxygen XML Developer v24.1 build 2022062007 nekohtml library was updated to a non-vulnerable version.
Starting with Oxygen XML Editor v24.1 build 2022062007 nekohtml library was updated to a non-vulnerable version.
Starting with Oxygen PDF Chemistry v24.1 build 2022062023 nekohtml library was removed.
Starting with Oxygen Content Fusion v5.0 build 2022092005 nekohtml library was updated to a non-vulnerable version.