CVE-2022-24729 — MEDIUM (6.5)

Q: How severe is CVE-2022-24729?

CVE-2022-24729 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2022-24729?

Check the references section above for vendor advisories and patch information. Affected products include: Ckeditor Ckeditor, Drupal Drupal, Oracle Application Express, Oracle Commerce Merchandising, Oracle Financial Services Analytical Applications Infrastructure.

Vulnerability Description

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. CKEditor4 prior to version 4.18.0 contains a vulnerability in the `dialog` plugin. The vulnerability allows abuse of a dialog input validator regular expression, which can cause a significant performance drop resulting in a browser tab freeze. A patch is available in version 4.18.0. There are currently no known workarounds.

CVSS Score

6.5

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Ckeditor	Ckeditor	>= 4.0, < 4.18.0
Drupal	Drupal	>= 8.0.0, < 9.2.15
Oracle	Application Express	< 22.1.1
Oracle	Commerce Merchandising	11.3.2
Oracle	Financial Services Analytical Applications Infrastructure	>= 8.0.7.0.0, <= 8.1.0.0.0
Oracle	Financial Services Behavior Detection Platform	>= 8.1.1.0, <= 8.1.2.1
Oracle	Financial Services Trade-Based Anti Money Laundering	8.0.7
Oracle	Peoplesoft Enterprise Peopletools	8.58
Fedoraproject	Fedora	36

Related Weaknesses (CWE)

CWE-400 CWE-1333

References

https://ckeditor.com/cke4/release/CKEditor-4.18.0Release NotesVendor Advisory
https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-f6rf-9m92-x2hhThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://www.drupal.org/sa-core-2022-005PatchThird Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.htmlPatchThird Party Advisory
https://ckeditor.com/cke4/release/CKEditor-4.18.0Release NotesVendor Advisory
https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-f6rf-9m92-x2hhThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://www.drupal.org/sa-core-2022-005PatchThird Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.htmlPatchThird Party Advisory

FAQ

What is CVE-2022-24729?

CVE-2022-24729 is a vulnerability with a CVSS score of 6.5 (MEDIUM). CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. CKEditor4 prior to version 4.18.0 contains a vulnerability in the `dialog` plugin. The vulnerability allows abuse of a dialog inpu...

How severe is CVE-2022-24729?

CVE-2022-24729 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-24729?

Check the references section above for vendor advisories and patch information. Affected products include: Ckeditor Ckeditor, Drupal Drupal, Oracle Application Express, Oracle Commerce Merchandising, Oracle Financial Services Analytical Applications Infrastructure.