CVE-2022-23514

描述

## Summary Loofah `< 2.19.1` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption. ## Mitigation Upgrade to Loofah `>= 2.19.1`. ## Severity The Loofah maintainers have evaluated this as [High Severity 7.5 (CVSS3.1)](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). ## References - [CWE - CWE-1333: Inefficient Regular Expression Complexity (4.9)](https://cwe.mitre.org/data/definitions/1333.html) - https://hackerone.com/reports/1684163 ## Credit This vulnerability was responsibly reported by @ooooooo-q (https://github.com/ooooooo-q).

受影響套件(4)

• Debian/ruby-loofahfrom 0, < 2.7.0+dfsg-1+deb11u1
• Debian/ruby-loofahfrom 0, < 2.2.3-1+deb10u2
• Debian/ruby-loofahfrom 0, < 2.7.0+dfsg-1+deb11u1
• RubyGems/loofahfrom 0, < 2.19.1

CVSS 分數

參考連結(9)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-23514
• ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2022-23514
• PATCHhttps://github.com/flavorjones/loofah
• WEBhttps://github.com/flavorjones/loofah/commit/a6e0a1ab90675a17b1b2be189129d94139e4b143
• WEBhttps://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh
• WEBhttps://github.com/rubysec/ruby-advisory-db/blob/master/gems/loofah/CVE-2022-23514.yml
• WEBhttps://hackerone.com/reports/1684163
• WEBhttps://lists.debian.org/debian-lts-announce/2023/09/msg00011.html
• WEBhttps://lists.debian.org/debian-lts-announce/2024/09/msg00044.html