Certain Neko-related HTML parsers allow a denial of service via crafted Processing Instruction (PI) input that causes excessive heap memory consumption. In particular, this issue exists in HtmlUnit-Neko through 2.26, and is fixed in 2.27. This issue also exists in CyberNeko HTML through 1.9.22 (also affecting OWASP AntiSamy before 1.6.6), but 1.9.22 is the last version of CyberNeko HTML. NOTE: this may be related to CVE-2022-24839.
CVE-2022-28366 - High Severity Vulnerability
An HTML parser and tag balancer.
Library home page: http://nekohtml.sourceforge.net/
Path to vulnerable library: /src/test/resources/webgoat/WEB-INF/lib/nekohtml-1.9.22.jar
Dependency Hierarchy: - :x: **nekohtml-1.9.22.jar** (Vulnerable Library)
Found in HEAD commit: e2144e84b1fdbf18c01c24e6ab9ade7b45b25283
Found in base branch: master
Certain Neko-related HTML parsers allow a denial of service via crafted Processing Instruction (PI) input that causes excessive heap memory consumption. In particular, this issue exists in HtmlUnit-Neko through 2.26, and is fixed in 2.27. This issue also exists in CyberNeko HTML through 1.9.22 (also affecting OWASP AntiSamy before 1.6.6), but 1.9.22 is the last version of CyberNeko HTML. NOTE: this may be related to CVE-2022-24839.
Publish Date: 2022-04-21
URL: CVE-2022-28366
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://github.com/advisories/GHSA-g9hh-vvx3-v37v
Release Date: 2022-04-21
Fix Resolution: net.sourceforge.htmlunit:neko-htmlunit:2.27