CVE-2022-24839 - Denial of Service (DoS)

Abstract

The nekohtml package is vulnerable to Denial of Service due to Uncontrolled Resource Consumption. The scanPI() function in the HTMLScanner class mishandles the parsing of a processing instruction while scanning a document. An attacker can leverage this behavior using a specially-crafted HTML composition, which has a ? or / character at the end of the processed instruction, to cause an infinite loop that appends a byte in a buffer in every cycle, causing a java.lang.OutOfMemoryError exception.

The Oxygen products incorporate nekohtml as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Affected Products/Versions

Mitigation

None

Detail

CVE-2022-24839

Severity: High

CVSS Score: 7.5

The nekohtml third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-24839 vulnerability description.

Starting with Oxygen XML Web Author v24.1 build 2022070522 nekohtml library was updated to a non-vulnerable version.

Starting with Oxygen XML Author v24.1 build 2022062007 nekohtml library was updated to a non-vulnerable version.

Starting with Oxygen XML Developer v24.1 build 2022062007 nekohtml library was updated to a non-vulnerable version.

Starting with Oxygen XML Editor v24.1 build 2022062007 nekohtml library was updated to a non-vulnerable version.

Starting with Oxygen PDF Chemistry v24.1 build 2022062023 nekohtml library was removed.

Starting with Oxygen Content Fusion v5.0 build 2022092005 nekohtml library was updated to a non-vulnerable version.