Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-486f-hjj9-9vhh: Inefficient Regular Expression Complexity in Loofah

Summary

Loofah < 2.19.1 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption.

Mitigation

Upgrade to Loofah >= 2.19.1.

Severity

The Loofah maintainers have evaluated this as High Severity 7.5 (CVSS3.1).

References

Credit

This vulnerability was responsibly reported by @ooooooo-q (https://github.com/ooooooo-q).

ghsa
#vulnerability#dos#git#ruby

Package

bundler loofah (RubyGems)

Affected versions

< 2.19.1

Patched versions

2.19.1

Description

Summary

Loofah < 2.19.1 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption.

Mitigation

Upgrade to Loofah >= 2.19.1.

Severity

The Loofah maintainers have evaluated this as High Severity 7.5 (CVSS3.1).

References

  • CWE - CWE-1333: Inefficient Regular Expression Complexity (4.9)
  • https://hackerone.com/reports/1684163

Credit

This vulnerability was responsibly reported by @ooooooo-q (https://github.com/ooooooo-q).

References

  • GHSA-486f-hjj9-9vhh
  • flavorjones/loofah@a6e0a1a

flavorjones published the maintainer security advisory

Dec 13, 2022

Severity

High

7.5

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Weaknesses

CWE-1333

CVE ID

CVE-2022-23514

GHSA ID

GHSA-486f-hjj9-9vhh

Source code

flavorjones/loofah

Checking history

See something to contribute? Suggest improvements for this vulnerability.

Related news

Red Hat Security Advisory 2023-2097-03

Red Hat Security Advisory 2023-2097-03 - Red Hat Satellite is a systems management tool for Linux-based infrastructure. It allows for provisioning, remote management, and monitoring of multiple Linux deployments with a single centralized tool. Issues addressed include code execution, cross site scripting, denial of service, deserialization, improper neutralization, information leakage, and remote shell upload vulnerabilities.

CVE-2022-23514

Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri. Loofah < 2.19.1 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption. This issue is patched in version 2.19.1.