sureng-ws-ibm / sg-easybuggy

Apache License 2.0
0 stars 0 forks source link

CVE-2022-29546 (High) detected in nekohtml-1.9.16.jar #69

Open mend-for-github-com[bot] opened 11 months ago

mend-for-github-com[bot] commented 11 months ago

CVE-2022-29546 - High Severity Vulnerability

Vulnerable Library - nekohtml-1.9.16.jar

An HTML parser and tag balancer.

Library home page: http://nekohtml.sourceforge.net/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/net/sourceforge/nekohtml/nekohtml/1.9.16/nekohtml-1.9.16.jar

Dependency Hierarchy: - esapi-2.1.0.1.jar (Root Library) - antisamy-1.5.3.jar - :x: **nekohtml-1.9.16.jar** (Vulnerable Library)

Found in HEAD commit: 296020e0003380d28e74bc162330ac1478ce6586

Found in base branch: master

Vulnerability Details

HtmlUnit NekoHtml Parser before 2.61.0 suffers from a denial of service vulnerability. Crafted input associated with the parsing of Processing Instruction (PI) data leads to heap memory consumption. This is similar to CVE-2022-28366 but affects a much later version of the product.

Publish Date: 2022-04-25

URL: CVE-2022-29546

CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-04-25

Fix Resolution: net.sourceforge.htmlunit:neko-htmlunit:2.61.0