CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-23517 – Inefficient Regular Expression Complexity in rails-html-sanitizer
https://notcve.org/view.php?id=CVE-2022-23517
rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Certain configurations of rails-html-sanitizer < 1.4.4 use an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption. This issue has been patched in version 1.4.4. rails-html-sanitizer es responsable de sanitizar fragmentos HTML en aplicaciones Rails. Ciertas configuraciones de rails-html-sanitizer < 1.4.4 utilizan una expresión regular ineficiente que es susceptible a un retroceso excesivo al intentar sanitizar ciertos atributos SVG. • https://github.com/rails/rails-html-sanitizer/commit/56c61c0cebd1e493e8ad7bca2a0191609a4a6979 https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-5x79-w82f-gw8w https://hackerone.com/reports/1684163 https://lists.debian.org/debian-lts-announce/2023/09/msg00012.html https://access.redhat.com/security/cve/CVE-2022-23517 https://bugzilla.redhat.com/show_bug.cgi?id=2153720 • CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2022-23515 – Improper neutralization of data URIs may allow XSS in Loofah
https://notcve.org/view.php?id=CVE-2022-23515
Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri. Loofah >= 2.1.0, < 2.19.1 is vulnerable to cross-site scripting via the image/svg+xml media type in data URIs. This issue is patched in version 2.19.1. Loofah es una librería general para manipular y transformar documentos y fragmentos HTML / XML, construida sobre Nokogiri. Loofah >= 2.1.0, < 2.19.1 es vulnerable a Cross-Site Scripting (XSS) a través del tipo de medio image/svg+xml en las URI de datos. • https://github.com/flavorjones/loofah/issues/101 https://github.com/flavorjones/loofah/security/advisories/GHSA-228g-948r-83gx https://hackerone.com/reports/1694173 https://lists.debian.org/debian-lts-announce/2023/09/msg00011.html https://access.redhat.com/security/cve/CVE-2022-23515 https://bugzilla.redhat.com/show_bug.cgi?id=2153262 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 1CVE-2022-45693 – jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos
https://notcve.org/view.php?id=CVE-2022-45693
Jettison before v1.5.2 was discovered to contain a stack overflow via the map parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string. Se descubrió que Jettison anterior a v1.5.2 contenía un desbordamiento de pila a través del parámetro map. Esta vulnerabilidad permite a los atacantes provocar una Denegación de Servicio (DoS) a través de una cadena manipulada. A flaw was found in Jettison, where it is vulnerable to a denial of service caused by a stack-based buffer overflow. • https://github.com/jettison-json/jettison/issues/52 https://lists.debian.org/debian-lts-announce/2022/12/msg00045.html https://www.debian.org/security/2023/dsa-5312 https://access.redhat.com/security/cve/CVE-2022-45693 https://bugzilla.redhat.com/show_bug.cgi?id=2155970 • CWE-787: Out-of-bounds Write •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 1CVE-2022-41915
https://notcve.org/view.php?id=CVE-2022-41915
Netty project is an event-driven asynchronous network application framework. Starting in version 4.1.83.Final and prior to 4.1.86.Final, when calling `DefaultHttpHeadesr.set` with an _iterator_ of values, header value validation was not performed, allowing malicious header values in the iterator to perform HTTP Response Splitting. This issue has been patched in version 4.1.86.Final. Integrators can work around the issue by changing the `DefaultHttpHeaders.set(CharSequence, Iterator<?>)` call, into a `remove()` call, and call `add()` in a loop over the iterator of values. • https://github.com/netty/netty/commit/fe18adff1c2b333acb135ab779a3b9ba3295a1c4 https://github.com/netty/netty/issues/13084 https://github.com/netty/netty/pull/12760 https://github.com/netty/netty/security/advisories/GHSA-hh82-3pmq-7frp https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html https://security.netapp.com/advisory/ntap-20230113-0004 https://www.debian.org/security/2023/dsa-5316 • CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') CWE-436: Interpretation Conflict •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 1CVE-2022-45685 – jettison: stack overflow in JSONObject() allows attackers to cause a Denial of Service (DoS) via crafted JSON data
https://notcve.org/view.php?id=CVE-2022-45685
A stack overflow in Jettison before v1.5.2 allows attackers to cause a Denial of Service (DoS) via crafted JSON data. Un desbordamiento de pila en Jettison anterior a v1.5.2 permite a los atacantes provocar una Denegación de Servicio (DoS) a través de datos JSON manipulados. A flaw was found in Jettison. Sending a specially crafted string can cause a stack-based buffer overflow. This issue may allow a remote attacker to cause a denial of service. • https://github.com/jettison-json/jettison/issues/54 https://lists.debian.org/debian-lts-announce/2022/12/msg00045.html https://www.debian.org/security/2023/dsa-5312 https://access.redhat.com/security/cve/CVE-2022-45685 https://bugzilla.redhat.com/show_bug.cgi?id=2214825 • CWE-787: Out-of-bounds Write •