Vulnerability Description
Certain Neko-related HTML parsers allow a denial of service via crafted Processing Instruction (PI) input that causes excessive heap memory consumption. In particular, this issue exists in HtmlUnit-Neko through 2.26, and is fixed in 2.27. This issue also exists in CyberNeko HTML through 1.9.22 (also affecting OWASP AntiSamy before 1.6.6), but 1.9.22 is the last version of CyberNeko HTML. NOTE: this may be related to CVE-2022-24839.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Cyberneko Html Project | Cyberneko Html | <= 1.9.22 |
| Htmlunit | Htmlunit | < 2.27 |
| Antisamy Project | Antisamy | < 1.6.6 |
References
- https://github.com/nahsra/antisamy/releases/tag/v1.6.6Release NotesThird Party Advisory
- https://search.maven.org/artifact/net.sourceforge.htmlunit/neko-htmlunitRelease NotesThird Party Advisory
- https://sourceforge.net/projects/htmlunit/files/htmlunit/2.27/Release NotesThird Party Advisory
- https://github.com/nahsra/antisamy/releases/tag/v1.6.6Release NotesThird Party Advisory
- https://search.maven.org/artifact/net.sourceforge.htmlunit/neko-htmlunitRelease NotesThird Party Advisory
- https://sourceforge.net/projects/htmlunit/files/htmlunit/2.27/Release NotesThird Party Advisory
FAQ
What is CVE-2022-28366?
CVE-2022-28366 is a vulnerability with a CVSS score of 7.5 (HIGH). Certain Neko-related HTML parsers allow a denial of service via crafted Processing Instruction (PI) input that causes excessive heap memory consumption. In particular, this issue exists in HtmlUnit-Ne...
How severe is CVE-2022-28366?
CVE-2022-28366 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-28366?
Check the references section above for vendor advisories and patch information. Affected products include: Cyberneko Html Project Cyberneko Html, Htmlunit Htmlunit, Antisamy Project Antisamy.