CVE-2022-28366

NameCVE-2022-28366
DescriptionCertain Neko-related HTML parsers allow a denial of service via crafted Processing Instruction (PI) input that causes excessive heap memory consumption. In particular, this issue exists in HtmlUnit-Neko through 2.26, and is fixed in 2.27. This issue also exists in CyberNeko HTML through 1.9.22 (also affecting OWASP AntiSamy before 1.6.6), but 1.9.22 is the last version of CyberNeko HTML. NOTE: this may be related to CVE-2022-24939.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
Debian Bugs1010154

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libowasp-antisamy-java (PTS)buster, stretch1.5.3+dfsg-1vulnerable
bookworm, sid, bullseye1.5.3+dfsg-1.1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libowasp-antisamy-javasource(unstable)(unfixed)1010154

Notes

https://github.com/nahsra/antisamy/releases/tag/v1.6.6
https://github.com/nahsra/antisamy/issues/174
check upstream for commits

Search for package or bug name: Reporting problems