CVE-2022-24836

Name
CVE-2022-24836
Description
Nokogiri is an open source XML and HTML library for Ruby. Nokogiri `< v1.13.4` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Users are advised to upgrade to Nokogiri `>= 1.13.4`. There are no known workarounds for this issue.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
CONFIRM https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-crjr-9rc5-ghw8
MISC https://github.com/sparklemotion/nokogiri/commit/e444525ef1634b675cd1cf52d39f4320ef0aecfd
Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XMDCWRQXJQ3TFSETPCEFMQ6RR6ME5UA3/
Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OUPLBUZVM4WPFSXBEP2JS3R6LMKRTLFC/
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DHCOWMA5PQTIQIMDENA7R2Y5BDYAIYM/
MLIST https://lists.debian.org/debian-lts-announce/2022/05/msg00013.html

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:nokogiri:nokogiri:*:*:*:*:*:ruby:*:* ruby-nokogiri >= None < 1.13.4

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
ruby-nokogiri 3.15-community 1.12.5-r0 Jakub Jirutka <jakub@jirutka.cz> possibly vulnerable