CVE-2022-23517

CVSS V2 None CVSS V3 None
Description
rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Certain configurations of rails-html-sanitizer < 1.4.4 use an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption. This issue has been patched in version 1.4.4.
Overview
  • CVE ID
  • CVE-2022-23517
  • Assigner
  • security-advisories@github.com
  • Vulnerability Status
  • Analyzed
  • Published Version
  • 2022-12-14T17:15:10
  • Last Modified Date
  • 2022-12-16T19:13:24
Weakness Enumerations
CWE URL
CWE-1333 http://cwe.mitre.org/data/definitions/1333.html
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:rails_html_sanitizer_project:rails_html_sanitizer:*:*:*:*:*:ruby:*:* 1 OR 1.4.4
References
Reference URL Reference Tags
https://github.com/rails/rails-html-sanitizer/commit/56c61c0cebd1e493e8ad7bca2a0191609a4a6979
https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-5x79-w82f-gw8w
https://hackerone.com/reports/1684163
Sources
Source Name Source URL
NIST https://nvd.nist.gov/vuln/detail/CVE-2022-23517
MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23517
History
Created Old Value New Value Data Type Notes
2022-12-14 18:15:35 Added to TrackCVE
2022-12-14 19:16:26 2022-12-14T17:15:10.130 2022-12-14T17:15:10 CVE Published Date updated
2022-12-14 19:16:26 2022-12-14T19:14:44 CVE Modified Date updated
2022-12-14 19:16:26 Received Awaiting Analysis Vulnerability Status updated
2022-12-18 04:35:32 2022-12-16T19:13:24 CVE Modified Date updated
2022-12-18 04:35:32 Awaiting Analysis Analyzed Vulnerability Status updated
2022-12-18 04:35:42 CPE Information updated