csaf_opensuse - opensuse-su-2024:11999-1

Vulnerability from csaf_opensuse

Published

2024-06-15 00:00

Modified

2024-06-15 00:00

Summary

ruby3.1-rubygem-nokogiri-1.13.4-1.1 on GA media

Notes

Title of the patch

ruby3.1-rubygem-nokogiri-1.13.4-1.1 on GA media

Description of the patch

These are all security issues fixed in the ruby3.1-rubygem-nokogiri-1.13.4-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames

openSUSE-Tumbleweed-2024-11999

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
   document: {
      aggregate_severity: {
         namespace: "https://www.suse.com/support/security/rating/",
         text: "moderate",
      },
      category: "csaf_security_advisory",
      csaf_version: "2.0",
      distribution: {
         text: "Copyright 2024 SUSE LLC. All rights reserved.",
         tlp: {
            label: "WHITE",
            url: "https://www.first.org/tlp/",
         },
      },
      lang: "en",
      notes: [
         {
            category: "summary",
            text: "ruby3.1-rubygem-nokogiri-1.13.4-1.1 on GA media",
            title: "Title of the patch",
         },
         {
            category: "description",
            text: "These are all security issues fixed in the ruby3.1-rubygem-nokogiri-1.13.4-1.1 package on the GA media of openSUSE Tumbleweed.",
            title: "Description of the patch",
         },
         {
            category: "details",
            text: "openSUSE-Tumbleweed-2024-11999",
            title: "Patchnames",
         },
         {
            category: "legal_disclaimer",
            text: "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
            title: "Terms of use",
         },
      ],
      publisher: {
         category: "vendor",
         contact_details: "https://www.suse.com/support/security/contact/",
         name: "SUSE Product Security Team",
         namespace: "https://www.suse.com/",
      },
      references: [
         {
            category: "external",
            summary: "SUSE ratings",
            url: "https://www.suse.com/support/security/rating/",
         },
         {
            category: "self",
            summary: "URL of this CSAF notice",
            url: "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_11999-1.json",
         },
         {
            category: "self",
            summary: "SUSE CVE CVE-2018-25032 page",
            url: "https://www.suse.com/security/cve/CVE-2018-25032/",
         },
         {
            category: "self",
            summary: "SUSE CVE CVE-2022-23437 page",
            url: "https://www.suse.com/security/cve/CVE-2022-23437/",
         },
         {
            category: "self",
            summary: "SUSE CVE CVE-2022-24836 page",
            url: "https://www.suse.com/security/cve/CVE-2022-24836/",
         },
         {
            category: "self",
            summary: "SUSE CVE CVE-2022-24839 page",
            url: "https://www.suse.com/security/cve/CVE-2022-24839/",
         },
      ],
      title: "ruby3.1-rubygem-nokogiri-1.13.4-1.1 on GA media",
      tracking: {
         current_release_date: "2024-06-15T00:00:00Z",
         generator: {
            date: "2024-06-15T00:00:00Z",
            engine: {
               name: "cve-database.git:bin/generate-csaf.pl",
               version: "1",
            },
         },
         id: "openSUSE-SU-2024:11999-1",
         initial_release_date: "2024-06-15T00:00:00Z",
         revision_history: [
            {
               date: "2024-06-15T00:00:00Z",
               number: "1",
               summary: "Current version",
            },
         ],
         status: "final",
         version: "1",
      },
   },
   product_tree: {
      branches: [
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_version",
                        name: "ruby3.1-rubygem-nokogiri-1.13.4-1.1.aarch64",
                        product: {
                           name: "ruby3.1-rubygem-nokogiri-1.13.4-1.1.aarch64",
                           product_id: "ruby3.1-rubygem-nokogiri-1.13.4-1.1.aarch64",
                        },
                     },
                  ],
                  category: "architecture",
                  name: "aarch64",
               },
               {
                  branches: [
                     {
                        category: "product_version",
                        name: "ruby3.1-rubygem-nokogiri-1.13.4-1.1.ppc64le",
                        product: {
                           name: "ruby3.1-rubygem-nokogiri-1.13.4-1.1.ppc64le",
                           product_id: "ruby3.1-rubygem-nokogiri-1.13.4-1.1.ppc64le",
                        },
                     },
                  ],
                  category: "architecture",
                  name: "ppc64le",
               },
               {
                  branches: [
                     {
                        category: "product_version",
                        name: "ruby3.1-rubygem-nokogiri-1.13.4-1.1.s390x",
                        product: {
                           name: "ruby3.1-rubygem-nokogiri-1.13.4-1.1.s390x",
                           product_id: "ruby3.1-rubygem-nokogiri-1.13.4-1.1.s390x",
                        },
                     },
                  ],
                  category: "architecture",
                  name: "s390x",
               },
               {
                  branches: [
                     {
                        category: "product_version",
                        name: "ruby3.1-rubygem-nokogiri-1.13.4-1.1.x86_64",
                        product: {
                           name: "ruby3.1-rubygem-nokogiri-1.13.4-1.1.x86_64",
                           product_id: "ruby3.1-rubygem-nokogiri-1.13.4-1.1.x86_64",
                        },
                     },
                  ],
                  category: "architecture",
                  name: "x86_64",
               },
               {
                  branches: [
                     {
                        category: "product_name",
                        name: "openSUSE Tumbleweed",
                        product: {
                           name: "openSUSE Tumbleweed",
                           product_id: "openSUSE Tumbleweed",
                           product_identification_helper: {
                              cpe: "cpe:/o:opensuse:tumbleweed",
                           },
                        },
                     },
                  ],
                  category: "product_family",
                  name: "SUSE Linux Enterprise",
               },
            ],
            category: "vendor",
            name: "SUSE",
         },
      ],
      relationships: [
         {
            category: "default_component_of",
            full_product_name: {
               name: "ruby3.1-rubygem-nokogiri-1.13.4-1.1.aarch64 as component of openSUSE Tumbleweed",
               product_id: "openSUSE Tumbleweed:ruby3.1-rubygem-nokogiri-1.13.4-1.1.aarch64",
            },
            product_reference: "ruby3.1-rubygem-nokogiri-1.13.4-1.1.aarch64",
            relates_to_product_reference: "openSUSE Tumbleweed",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "ruby3.1-rubygem-nokogiri-1.13.4-1.1.ppc64le as component of openSUSE Tumbleweed",
               product_id: "openSUSE Tumbleweed:ruby3.1-rubygem-nokogiri-1.13.4-1.1.ppc64le",
            },
            product_reference: "ruby3.1-rubygem-nokogiri-1.13.4-1.1.ppc64le",
            relates_to_product_reference: "openSUSE Tumbleweed",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "ruby3.1-rubygem-nokogiri-1.13.4-1.1.s390x as component of openSUSE Tumbleweed",
               product_id: "openSUSE Tumbleweed:ruby3.1-rubygem-nokogiri-1.13.4-1.1.s390x",
            },
            product_reference: "ruby3.1-rubygem-nokogiri-1.13.4-1.1.s390x",
            relates_to_product_reference: "openSUSE Tumbleweed",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "ruby3.1-rubygem-nokogiri-1.13.4-1.1.x86_64 as component of openSUSE Tumbleweed",
               product_id: "openSUSE Tumbleweed:ruby3.1-rubygem-nokogiri-1.13.4-1.1.x86_64",
            },
            product_reference: "ruby3.1-rubygem-nokogiri-1.13.4-1.1.x86_64",
            relates_to_product_reference: "openSUSE Tumbleweed",
         },
      ],
   },
   vulnerabilities: [
      {
         cve: "CVE-2018-25032",
         ids: [
            {
               system_name: "SUSE CVE Page",
               text: "https://www.suse.com/security/cve/CVE-2018-25032",
            },
         ],
         notes: [
            {
               category: "general",
               text: "zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.",
               title: "CVE description",
            },
         ],
         product_status: {
            recommended: [
               "openSUSE Tumbleweed:ruby3.1-rubygem-nokogiri-1.13.4-1.1.aarch64",
               "openSUSE Tumbleweed:ruby3.1-rubygem-nokogiri-1.13.4-1.1.ppc64le",
               "openSUSE Tumbleweed:ruby3.1-rubygem-nokogiri-1.13.4-1.1.s390x",
               "openSUSE Tumbleweed:ruby3.1-rubygem-nokogiri-1.13.4-1.1.x86_64",
            ],
         },
         references: [
            {
               category: "external",
               summary: "CVE-2018-25032",
               url: "https://www.suse.com/security/cve/CVE-2018-25032",
            },
            {
               category: "external",
               summary: "SUSE Bug 1197459 for CVE-2018-25032",
               url: "https://bugzilla.suse.com/1197459",
            },
            {
               category: "external",
               summary: "SUSE Bug 1197893 for CVE-2018-25032",
               url: "https://bugzilla.suse.com/1197893",
            },
            {
               category: "external",
               summary: "SUSE Bug 1198667 for CVE-2018-25032",
               url: "https://bugzilla.suse.com/1198667",
            },
            {
               category: "external",
               summary: "SUSE Bug 1199104 for CVE-2018-25032",
               url: "https://bugzilla.suse.com/1199104",
            },
            {
               category: "external",
               summary: "SUSE Bug 1200049 for CVE-2018-25032",
               url: "https://bugzilla.suse.com/1200049",
            },
            {
               category: "external",
               summary: "SUSE Bug 1201732 for CVE-2018-25032",
               url: "https://bugzilla.suse.com/1201732",
            },
            {
               category: "external",
               summary: "SUSE Bug 1202688 for CVE-2018-25032",
               url: "https://bugzilla.suse.com/1202688",
            },
            {
               category: "external",
               summary: "SUSE Bug 1224427 for CVE-2018-25032",
               url: "https://bugzilla.suse.com/1224427",
            },
         ],
         remediations: [
            {
               category: "vendor_fix",
               details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
               product_ids: [
                  "openSUSE Tumbleweed:ruby3.1-rubygem-nokogiri-1.13.4-1.1.aarch64",
                  "openSUSE Tumbleweed:ruby3.1-rubygem-nokogiri-1.13.4-1.1.ppc64le",
                  "openSUSE Tumbleweed:ruby3.1-rubygem-nokogiri-1.13.4-1.1.s390x",
                  "openSUSE Tumbleweed:ruby3.1-rubygem-nokogiri-1.13.4-1.1.x86_64",
               ],
            },
         ],
         scores: [
            {
               cvss_v3: {
                  baseScore: 8.1,
                  baseSeverity: "HIGH",
                  vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  version: "3.1",
               },
               products: [
                  "openSUSE Tumbleweed:ruby3.1-rubygem-nokogiri-1.13.4-1.1.aarch64",
                  "openSUSE Tumbleweed:ruby3.1-rubygem-nokogiri-1.13.4-1.1.ppc64le",
                  "openSUSE Tumbleweed:ruby3.1-rubygem-nokogiri-1.13.4-1.1.s390x",
                  "openSUSE Tumbleweed:ruby3.1-rubygem-nokogiri-1.13.4-1.1.x86_64",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               date: "2024-06-15T00:00:00Z",
               details: "important",
            },
         ],
         title: "CVE-2018-25032",
      },
      {
         cve: "CVE-2022-23437",
         ids: [
            {
               system_name: "SUSE CVE Page",
               text: "https://www.suse.com/security/cve/CVE-2022-23437",
            },
         ],
         notes: [
            {
               category: "general",
               text: "There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.",
               title: "CVE description",
            },
         ],
         product_status: {
            recommended: [
               "openSUSE Tumbleweed:ruby3.1-rubygem-nokogiri-1.13.4-1.1.aarch64",
               "openSUSE Tumbleweed:ruby3.1-rubygem-nokogiri-1.13.4-1.1.ppc64le",
               "openSUSE Tumbleweed:ruby3.1-rubygem-nokogiri-1.13.4-1.1.s390x",
               "openSUSE Tumbleweed:ruby3.1-rubygem-nokogiri-1.13.4-1.1.x86_64",
            ],
         },
         references: [
            {
               category: "external",
               summary: "CVE-2022-23437",
               url: "https://www.suse.com/security/cve/CVE-2022-23437",
            },
            {
               category: "external",
               summary: "SUSE Bug 1195108 for CVE-2022-23437",
               url: "https://bugzilla.suse.com/1195108",
            },
            {
               category: "external",
               summary: "SUSE Bug 1196394 for CVE-2022-23437",
               url: "https://bugzilla.suse.com/1196394",
            },
         ],
         remediations: [
            {
               category: "vendor_fix",
               details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
               product_ids: [
                  "openSUSE Tumbleweed:ruby3.1-rubygem-nokogiri-1.13.4-1.1.aarch64",
                  "openSUSE Tumbleweed:ruby3.1-rubygem-nokogiri-1.13.4-1.1.ppc64le",
                  "openSUSE Tumbleweed:ruby3.1-rubygem-nokogiri-1.13.4-1.1.s390x",
                  "openSUSE Tumbleweed:ruby3.1-rubygem-nokogiri-1.13.4-1.1.x86_64",
               ],
            },
         ],
         scores: [
            {
               cvss_v3: {
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  version: "3.1",
               },
               products: [
                  "openSUSE Tumbleweed:ruby3.1-rubygem-nokogiri-1.13.4-1.1.aarch64",
                  "openSUSE Tumbleweed:ruby3.1-rubygem-nokogiri-1.13.4-1.1.ppc64le",
                  "openSUSE Tumbleweed:ruby3.1-rubygem-nokogiri-1.13.4-1.1.s390x",
                  "openSUSE Tumbleweed:ruby3.1-rubygem-nokogiri-1.13.4-1.1.x86_64",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               date: "2024-06-15T00:00:00Z",
               details: "important",
            },
         ],
         title: "CVE-2022-23437",
      },
      {
         cve: "CVE-2022-24836",
         ids: [
            {
               system_name: "SUSE CVE Page",
               text: "https://www.suse.com/security/cve/CVE-2022-24836",
            },
         ],
         notes: [
            {
               category: "general",
               text: "Nokogiri is an open source XML and HTML library for Ruby. Nokogiri `< v1.13.4` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Users are advised to upgrade to Nokogiri `>= 1.13.4`. There are no known workarounds for this issue.",
               title: "CVE description",
            },
         ],
         product_status: {
            recommended: [
               "openSUSE Tumbleweed:ruby3.1-rubygem-nokogiri-1.13.4-1.1.aarch64",
               "openSUSE Tumbleweed:ruby3.1-rubygem-nokogiri-1.13.4-1.1.ppc64le",
               "openSUSE Tumbleweed:ruby3.1-rubygem-nokogiri-1.13.4-1.1.s390x",
               "openSUSE Tumbleweed:ruby3.1-rubygem-nokogiri-1.13.4-1.1.x86_64",
            ],
         },
         references: [
            {
               category: "external",
               summary: "CVE-2022-24836",
               url: "https://www.suse.com/security/cve/CVE-2022-24836",
            },
            {
               category: "external",
               summary: "SUSE Bug 1198408 for CVE-2022-24836",
               url: "https://bugzilla.suse.com/1198408",
            },
         ],
         remediations: [
            {
               category: "vendor_fix",
               details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
               product_ids: [
                  "openSUSE Tumbleweed:ruby3.1-rubygem-nokogiri-1.13.4-1.1.aarch64",
                  "openSUSE Tumbleweed:ruby3.1-rubygem-nokogiri-1.13.4-1.1.ppc64le",
                  "openSUSE Tumbleweed:ruby3.1-rubygem-nokogiri-1.13.4-1.1.s390x",
                  "openSUSE Tumbleweed:ruby3.1-rubygem-nokogiri-1.13.4-1.1.x86_64",
               ],
            },
         ],
         scores: [
            {
               cvss_v3: {
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  version: "3.1",
               },
               products: [
                  "openSUSE Tumbleweed:ruby3.1-rubygem-nokogiri-1.13.4-1.1.aarch64",
                  "openSUSE Tumbleweed:ruby3.1-rubygem-nokogiri-1.13.4-1.1.ppc64le",
                  "openSUSE Tumbleweed:ruby3.1-rubygem-nokogiri-1.13.4-1.1.s390x",
                  "openSUSE Tumbleweed:ruby3.1-rubygem-nokogiri-1.13.4-1.1.x86_64",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               date: "2024-06-15T00:00:00Z",
               details: "important",
            },
         ],
         title: "CVE-2022-24836",
      },
      {
         cve: "CVE-2022-24839",
         ids: [
            {
               system_name: "SUSE CVE Page",
               text: "https://www.suse.com/security/cve/CVE-2022-24839",
            },
         ],
         notes: [
            {
               category: "general",
               text: "org.cyberneko.html is an html parser written in Java. The fork of `org.cyberneko.html` used by Nokogiri (Rubygem) raises a `java.lang.OutOfMemoryError` exception when parsing ill-formed HTML markup. Users are advised to upgrade to `>= 1.9.22.noko2`. Note: The upstream library `org.cyberneko.html` is no longer maintained. Nokogiri uses its own fork of this library located at https://github.com/sparklemotion/nekohtml and this CVE applies only to that fork. Other forks of nekohtml may have a similar vulnerability.",
               title: "CVE description",
            },
         ],
         product_status: {
            recommended: [
               "openSUSE Tumbleweed:ruby3.1-rubygem-nokogiri-1.13.4-1.1.aarch64",
               "openSUSE Tumbleweed:ruby3.1-rubygem-nokogiri-1.13.4-1.1.ppc64le",
               "openSUSE Tumbleweed:ruby3.1-rubygem-nokogiri-1.13.4-1.1.s390x",
               "openSUSE Tumbleweed:ruby3.1-rubygem-nokogiri-1.13.4-1.1.x86_64",
            ],
         },
         references: [
            {
               category: "external",
               summary: "CVE-2022-24839",
               url: "https://www.suse.com/security/cve/CVE-2022-24839",
            },
            {
               category: "external",
               summary: "SUSE Bug 1198404 for CVE-2022-24839",
               url: "https://bugzilla.suse.com/1198404",
            },
         ],
         remediations: [
            {
               category: "vendor_fix",
               details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
               product_ids: [
                  "openSUSE Tumbleweed:ruby3.1-rubygem-nokogiri-1.13.4-1.1.aarch64",
                  "openSUSE Tumbleweed:ruby3.1-rubygem-nokogiri-1.13.4-1.1.ppc64le",
                  "openSUSE Tumbleweed:ruby3.1-rubygem-nokogiri-1.13.4-1.1.s390x",
                  "openSUSE Tumbleweed:ruby3.1-rubygem-nokogiri-1.13.4-1.1.x86_64",
               ],
            },
         ],
         scores: [
            {
               cvss_v3: {
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  version: "3.1",
               },
               products: [
                  "openSUSE Tumbleweed:ruby3.1-rubygem-nokogiri-1.13.4-1.1.aarch64",
                  "openSUSE Tumbleweed:ruby3.1-rubygem-nokogiri-1.13.4-1.1.ppc64le",
                  "openSUSE Tumbleweed:ruby3.1-rubygem-nokogiri-1.13.4-1.1.s390x",
                  "openSUSE Tumbleweed:ruby3.1-rubygem-nokogiri-1.13.4-1.1.x86_64",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               date: "2024-06-15T00:00:00Z",
               details: "important",
            },
         ],
         title: "CVE-2022-24839",
      },
   ],
}

cve-2022-23437

Vulnerability from cvelistv5

Published

2022-01-24 00:00

Modified

2024-08-03 03:43

Severity ?

Summary

There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.

References

▼	URL	Tags
	https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dl
	http://www.openwall.com/lists/oss-security/2022/01/24/3	mailing-list
	https://www.oracle.com/security-alerts/cpuapr2022.html
	https://www.oracle.com/security-alerts/cpujul2022.html
	https://security.netapp.com/advisory/ntap-20221028-0005/

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Xerces	Version: Apache XercesJ <

Show details on NVD website

JSON

To clipboard

{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-03T03:43:45.690Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dl",
               },
               {
                  name: "[oss-security] 20220124 CVE-2022-23437: Infinite loop within Apache XercesJ xml parser",
                  tags: [
                     "mailing-list",
                     "x_transferred",
                  ],
                  url: "http://www.openwall.com/lists/oss-security/2022/01/24/3",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://www.oracle.com/security-alerts/cpuapr2022.html",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://www.oracle.com/security-alerts/cpujul2022.html",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://security.netapp.com/advisory/ntap-20221028-0005/",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "Apache Xerces",
               vendor: "Apache Software Foundation",
               versions: [
                  {
                     lessThanOrEqual: "2.12.1",
                     status: "affected",
                     version: "Apache XercesJ",
                     versionType: "custom",
                  },
               ],
            },
         ],
         credits: [
            {
               lang: "en",
               value: "This issue was discovered by Sergey Temnikov and Ziyi Luo, from Amazon Corretto/JDK Team",
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.",
            },
         ],
         metrics: [
            {
               other: {
                  content: {
                     other: "high",
                  },
                  type: "unknown",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "Infinite loop within Apache XercesJ xml parser",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2022-10-28T00:00:00",
            orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            shortName: "apache",
         },
         references: [
            {
               url: "https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dl",
            },
            {
               name: "[oss-security] 20220124 CVE-2022-23437: Infinite loop within Apache XercesJ xml parser",
               tags: [
                  "mailing-list",
               ],
               url: "http://www.openwall.com/lists/oss-security/2022/01/24/3",
            },
            {
               url: "https://www.oracle.com/security-alerts/cpuapr2022.html",
            },
            {
               url: "https://www.oracle.com/security-alerts/cpujul2022.html",
            },
            {
               url: "https://security.netapp.com/advisory/ntap-20221028-0005/",
            },
         ],
         source: {
            discovery: "UNKNOWN",
         },
         title: "Infinite loop within Apache XercesJ xml parser",
         workarounds: [
            {
               lang: "en",
               value: "Apache XercesJ users, should migrate to version 2.12.2",
            },
         ],
         x_generator: {
            engine: "Vulnogram 0.0.9",
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09",
      assignerShortName: "apache",
      cveId: "CVE-2022-23437",
      datePublished: "2022-01-24T00:00:00",
      dateReserved: "2022-01-19T00:00:00",
      dateUpdated: "2024-08-03T03:43:45.690Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2022-24836

Vulnerability from cvelistv5

Published

2022-04-11 00:00

Modified

2024-09-03 12:03

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

Nokogiri is an open source XML and HTML library for Ruby. Nokogiri `< v1.13.4` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Users are advised to upgrade to Nokogiri `>= 1.13.4`. There are no known workarounds for this issue.

References

▼	URL	Tags
	https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-crjr-9rc5-ghw8
	https://github.com/sparklemotion/nokogiri/commit/e444525ef1634b675cd1cf52d39f4320ef0aecfd
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OUPLBUZVM4WPFSXBEP2JS3R6LMKRTLFC/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XMDCWRQXJQ3TFSETPCEFMQ6RR6ME5UA3/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6DHCOWMA5PQTIQIMDENA7R2Y5BDYAIYM/	vendor-advisory
	https://lists.debian.org/debian-lts-announce/2022/05/msg00013.html	mailing-list
	https://security.gentoo.org/glsa/202208-29	vendor-advisory
	https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html	mailing-list
	https://support.apple.com/kb/HT213532
	http://seclists.org/fulldisclosure/2022/Dec/23	mailing-list

Impacted products

	Vendor	Product	Version
	sparklemotion	nokogiri	Version: < 1.13.4

Show details on NVD website

JSON

To clipboard

{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-09-03T12:03:46.858Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-crjr-9rc5-ghw8",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://github.com/sparklemotion/nokogiri/commit/e444525ef1634b675cd1cf52d39f4320ef0aecfd",
               },
               {
                  name: "FEDORA-2022-9ed7641ce0",
                  tags: [
                     "vendor-advisory",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OUPLBUZVM4WPFSXBEP2JS3R6LMKRTLFC/",
               },
               {
                  name: "FEDORA-2022-132c6d7c2e",
                  tags: [
                     "vendor-advisory",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XMDCWRQXJQ3TFSETPCEFMQ6RR6ME5UA3/",
               },
               {
                  name: "FEDORA-2022-d231cb5e1f",
                  tags: [
                     "vendor-advisory",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6DHCOWMA5PQTIQIMDENA7R2Y5BDYAIYM/",
               },
               {
                  name: "[debian-lts-announce] 20220513 [SECURITY] [DLA 3003-1] ruby-nokogiri security update",
                  tags: [
                     "mailing-list",
                     "x_transferred",
                  ],
                  url: "https://lists.debian.org/debian-lts-announce/2022/05/msg00013.html",
               },
               {
                  name: "GLSA-202208-29",
                  tags: [
                     "vendor-advisory",
                     "x_transferred",
                  ],
                  url: "https://security.gentoo.org/glsa/202208-29",
               },
               {
                  name: "[debian-lts-announce] 20221012 [SECURITY] [DLA 3149-1] ruby-nokogiri security update",
                  tags: [
                     "mailing-list",
                     "x_transferred",
                  ],
                  url: "https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://support.apple.com/kb/HT213532",
               },
               {
                  name: "20221220 APPLE-SA-2022-12-13-4 macOS Ventura 13.1",
                  tags: [
                     "mailing-list",
                     "x_transferred",
                  ],
                  url: "http://seclists.org/fulldisclosure/2022/Dec/23",
               },
               {
                  url: "https://lists.debian.org/debian-lts-announce/2024/09/msg00010.html",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "nokogiri",
               vendor: "sparklemotion",
               versions: [
                  {
                     status: "affected",
                     version: "< 1.13.4",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "Nokogiri is an open source XML and HTML library for Ruby. Nokogiri `< v1.13.4` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Users are advised to upgrade to Nokogiri `>= 1.13.4`. There are no known workarounds for this issue.",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "NONE",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  version: "3.1",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-400",
                     description: "CWE-400: Uncontrolled Resource Consumption",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
            {
               descriptions: [
                  {
                     cweId: "CWE-1333",
                     description: "CWE-1333: Inefficient Regular Expression Complexity",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2022-12-21T00:00:00",
            orgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
            shortName: "GitHub_M",
         },
         references: [
            {
               url: "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-crjr-9rc5-ghw8",
            },
            {
               url: "https://github.com/sparklemotion/nokogiri/commit/e444525ef1634b675cd1cf52d39f4320ef0aecfd",
            },
            {
               name: "FEDORA-2022-9ed7641ce0",
               tags: [
                  "vendor-advisory",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OUPLBUZVM4WPFSXBEP2JS3R6LMKRTLFC/",
            },
            {
               name: "FEDORA-2022-132c6d7c2e",
               tags: [
                  "vendor-advisory",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XMDCWRQXJQ3TFSETPCEFMQ6RR6ME5UA3/",
            },
            {
               name: "FEDORA-2022-d231cb5e1f",
               tags: [
                  "vendor-advisory",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6DHCOWMA5PQTIQIMDENA7R2Y5BDYAIYM/",
            },
            {
               name: "[debian-lts-announce] 20220513 [SECURITY] [DLA 3003-1] ruby-nokogiri security update",
               tags: [
                  "mailing-list",
               ],
               url: "https://lists.debian.org/debian-lts-announce/2022/05/msg00013.html",
            },
            {
               name: "GLSA-202208-29",
               tags: [
                  "vendor-advisory",
               ],
               url: "https://security.gentoo.org/glsa/202208-29",
            },
            {
               name: "[debian-lts-announce] 20221012 [SECURITY] [DLA 3149-1] ruby-nokogiri security update",
               tags: [
                  "mailing-list",
               ],
               url: "https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html",
            },
            {
               url: "https://support.apple.com/kb/HT213532",
            },
            {
               name: "20221220 APPLE-SA-2022-12-13-4 macOS Ventura 13.1",
               tags: [
                  "mailing-list",
               ],
               url: "http://seclists.org/fulldisclosure/2022/Dec/23",
            },
         ],
         source: {
            advisory: "GHSA-crjr-9rc5-ghw8",
            discovery: "UNKNOWN",
         },
         title: "Inefficient Regular Expression Complexity in Nokogiri",
      },
   },
   cveMetadata: {
      assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
      assignerShortName: "GitHub_M",
      cveId: "CVE-2022-24836",
      datePublished: "2022-04-11T00:00:00",
      dateReserved: "2022-02-10T00:00:00",
      dateUpdated: "2024-09-03T12:03:46.858Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2022-24839

Vulnerability from cvelistv5

Published

2022-04-11 21:25

Modified

2024-08-03 04:20

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

org.cyberneko.html is an html parser written in Java. The fork of `org.cyberneko.html` used by Nokogiri (Rubygem) raises a `java.lang.OutOfMemoryError` exception when parsing ill-formed HTML markup. Users are advised to upgrade to `>= 1.9.22.noko2`. Note: The upstream library `org.cyberneko.html` is no longer maintained. Nokogiri uses its own fork of this library located at https://github.com/sparklemotion/nekohtml and this CVE applies only to that fork. Other forks of nekohtml may have a similar vulnerability.

References

▼	URL	Tags
	https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv	x_refsource_CONFIRM
	https://github.com/sparklemotion/nekohtml/commit/a800fce3b079def130ed42a408ff1d09f89e773d	x_refsource_MISC
	https://www.oracle.com/security-alerts/cpujul2022.html	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	sparklemotion	nekohtml	Version: < 1.9.22.noko2

Show details on NVD website

JSON

To clipboard

{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-03T04:20:50.515Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://github.com/sparklemotion/nekohtml/commit/a800fce3b079def130ed42a408ff1d09f89e773d",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://www.oracle.com/security-alerts/cpujul2022.html",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "nekohtml",
               vendor: "sparklemotion",
               versions: [
                  {
                     status: "affected",
                     version: "< 1.9.22.noko2",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "org.cyberneko.html is an html parser written in Java. The fork of `org.cyberneko.html` used by Nokogiri (Rubygem) raises a `java.lang.OutOfMemoryError` exception when parsing ill-formed HTML markup. Users are advised to upgrade to `>= 1.9.22.noko2`. Note: The upstream library `org.cyberneko.html` is no longer maintained. Nokogiri uses its own fork of this library located at https://github.com/sparklemotion/nekohtml and this CVE applies only to that fork. Other forks of nekohtml may have a similar vulnerability.",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "NONE",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  version: "3.1",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-400",
                     description: "CWE-400: Uncontrolled Resource Consumption",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2022-07-25T16:52:31",
            orgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
            shortName: "GitHub_M",
         },
         references: [
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/sparklemotion/nekohtml/commit/a800fce3b079def130ed42a408ff1d09f89e773d",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://www.oracle.com/security-alerts/cpujul2022.html",
            },
         ],
         source: {
            advisory: "GHSA-9849-p7jc-9rmv",
            discovery: "UNKNOWN",
         },
         title: "Uncontrolled Resource Consumption in org.cyberneko.html (nokogiri fork)",
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "security-advisories@github.com",
               ID: "CVE-2022-24839",
               STATE: "PUBLIC",
               TITLE: "Uncontrolled Resource Consumption in org.cyberneko.html (nokogiri fork)",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "nekohtml",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "< 1.9.22.noko2",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "sparklemotion",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "org.cyberneko.html is an html parser written in Java. The fork of `org.cyberneko.html` used by Nokogiri (Rubygem) raises a `java.lang.OutOfMemoryError` exception when parsing ill-formed HTML markup. Users are advised to upgrade to `>= 1.9.22.noko2`. Note: The upstream library `org.cyberneko.html` is no longer maintained. Nokogiri uses its own fork of this library located at https://github.com/sparklemotion/nekohtml and this CVE applies only to that fork. Other forks of nekohtml may have a similar vulnerability.",
                  },
               ],
            },
            impact: {
               cvss: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "NONE",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  version: "3.1",
               },
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "CWE-400: Uncontrolled Resource Consumption",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv",
                     refsource: "CONFIRM",
                     url: "https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv",
                  },
                  {
                     name: "https://github.com/sparklemotion/nekohtml/commit/a800fce3b079def130ed42a408ff1d09f89e773d",
                     refsource: "MISC",
                     url: "https://github.com/sparklemotion/nekohtml/commit/a800fce3b079def130ed42a408ff1d09f89e773d",
                  },
                  {
                     name: "https://www.oracle.com/security-alerts/cpujul2022.html",
                     refsource: "MISC",
                     url: "https://www.oracle.com/security-alerts/cpujul2022.html",
                  },
               ],
            },
            source: {
               advisory: "GHSA-9849-p7jc-9rmv",
               discovery: "UNKNOWN",
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
      assignerShortName: "GitHub_M",
      cveId: "CVE-2022-24839",
      datePublished: "2022-04-11T21:25:12",
      dateReserved: "2022-02-10T00:00:00",
      dateUpdated: "2024-08-03T04:20:50.515Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2018-25032

Vulnerability from cvelistv5

Published

2022-03-25 00:00

Modified

2024-08-05 12:26

Severity ?

Summary

zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.

References

▼	URL	Tags
	https://www.openwall.com/lists/oss-security/2022/03/24/1
	https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531
	http://www.openwall.com/lists/oss-security/2022/03/25/2	mailing-list
	http://www.openwall.com/lists/oss-security/2022/03/26/1	mailing-list
	https://www.debian.org/security/2022/dsa-5111	vendor-advisory
	https://lists.debian.org/debian-lts-announce/2022/04/msg00000.html	mailing-list
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NS2D2GFPFGOJUL4WQ3DUAY7HF4VWQ77F/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XOKFMSNQ5D5WGMALBNBXU3GE442V74WU/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VOKNP2L734AEL47NRYGVZIKEFOUBQY5Y/	vendor-advisory
	https://lists.debian.org/debian-lts-announce/2022/05/msg00008.html	mailing-list
	http://seclists.org/fulldisclosure/2022/May/33	mailing-list
	http://seclists.org/fulldisclosure/2022/May/35	mailing-list
	http://seclists.org/fulldisclosure/2022/May/38	mailing-list
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DF62MVMH3QUGMBDCB3DY2ERQ6EBHTADB/	vendor-advisory
	https://www.oracle.com/security-alerts/cpujul2022.html
	https://www.openwall.com/lists/oss-security/2022/03/28/3
	https://www.openwall.com/lists/oss-security/2022/03/28/1
	https://github.com/madler/zlib/compare/v1.2.11...v1.2.12
	https://github.com/madler/zlib/issues/605
	https://support.apple.com/kb/HT213257
	https://support.apple.com/kb/HT213256
	https://support.apple.com/kb/HT213255
	https://security.netapp.com/advisory/ntap-20220526-0009/
	https://security.netapp.com/advisory/ntap-20220729-0004/
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JZZPTWRYQULAOL3AW7RZJNVZ2UONXCV4/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DCZFIJBJTZ7CL5QXBFKTQ22Q26VINRUF/	vendor-advisory
	https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html	mailing-list
	https://security.gentoo.org/glsa/202210-42	vendor-advisory
	https://cert-portal.siemens.com/productcert/pdf/ssa-333517.pdf

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-05T12:26:39.599Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://www.openwall.com/lists/oss-security/2022/03/24/1",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531",
               },
               {
                  name: "[oss-security] 20220325 Re: zlib memory corruption on deflate (i.e. compress)",
                  tags: [
                     "mailing-list",
                     "x_transferred",
                  ],
                  url: "http://www.openwall.com/lists/oss-security/2022/03/25/2",
               },
               {
                  name: "[oss-security] 20220326 Re: zlib memory corruption on deflate (i.e. compress)",
                  tags: [
                     "mailing-list",
                     "x_transferred",
                  ],
                  url: "http://www.openwall.com/lists/oss-security/2022/03/26/1",
               },
               {
                  name: "DSA-5111",
                  tags: [
                     "vendor-advisory",
                     "x_transferred",
                  ],
                  url: "https://www.debian.org/security/2022/dsa-5111",
               },
               {
                  name: "[debian-lts-announce] 20220402 [SECURITY] [DLA 2968-1] zlib security update",
                  tags: [
                     "mailing-list",
                     "x_transferred",
                  ],
                  url: "https://lists.debian.org/debian-lts-announce/2022/04/msg00000.html",
               },
               {
                  name: "FEDORA-2022-413a80a102",
                  tags: [
                     "vendor-advisory",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NS2D2GFPFGOJUL4WQ3DUAY7HF4VWQ77F/",
               },
               {
                  name: "FEDORA-2022-dbd2935e44",
                  tags: [
                     "vendor-advisory",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XOKFMSNQ5D5WGMALBNBXU3GE442V74WU/",
               },
               {
                  name: "FEDORA-2022-12b89e2aad",
                  tags: [
                     "vendor-advisory",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VOKNP2L734AEL47NRYGVZIKEFOUBQY5Y/",
               },
               {
                  name: "[debian-lts-announce] 20220507 [SECURITY] [DLA 2993-1] libz-mingw-w64 security update",
                  tags: [
                     "mailing-list",
                     "x_transferred",
                  ],
                  url: "https://lists.debian.org/debian-lts-announce/2022/05/msg00008.html",
               },
               {
                  name: "20220516 APPLE-SA-2022-05-16-4 Security Update 2022-004 Catalina",
                  tags: [
                     "mailing-list",
                     "x_transferred",
                  ],
                  url: "http://seclists.org/fulldisclosure/2022/May/33",
               },
               {
                  name: "20220516 APPLE-SA-2022-05-16-3 macOS Big Sur 11.6.6",
                  tags: [
                     "mailing-list",
                     "x_transferred",
                  ],
                  url: "http://seclists.org/fulldisclosure/2022/May/35",
               },
               {
                  name: "20220516 APPLE-SA-2022-05-16-2 macOS Monterey 12.4",
                  tags: [
                     "mailing-list",
                     "x_transferred",
                  ],
                  url: "http://seclists.org/fulldisclosure/2022/May/38",
               },
               {
                  name: "FEDORA-2022-61cf1c64f6",
                  tags: [
                     "vendor-advisory",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DF62MVMH3QUGMBDCB3DY2ERQ6EBHTADB/",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://www.oracle.com/security-alerts/cpujul2022.html",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://www.openwall.com/lists/oss-security/2022/03/28/3",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://www.openwall.com/lists/oss-security/2022/03/28/1",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://github.com/madler/zlib/compare/v1.2.11...v1.2.12",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://github.com/madler/zlib/issues/605",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://support.apple.com/kb/HT213257",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://support.apple.com/kb/HT213256",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://support.apple.com/kb/HT213255",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://security.netapp.com/advisory/ntap-20220526-0009/",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://security.netapp.com/advisory/ntap-20220729-0004/",
               },
               {
                  name: "FEDORA-2022-3a92250fd5",
                  tags: [
                     "vendor-advisory",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JZZPTWRYQULAOL3AW7RZJNVZ2UONXCV4/",
               },
               {
                  name: "FEDORA-2022-b58a85e167",
                  tags: [
                     "vendor-advisory",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DCZFIJBJTZ7CL5QXBFKTQ22Q26VINRUF/",
               },
               {
                  name: "[debian-lts-announce] 20220916 [SECURITY] [DLA 3114-1] mariadb-10.3 security update",
                  tags: [
                     "mailing-list",
                     "x_transferred",
                  ],
                  url: "https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html",
               },
               {
                  name: "GLSA-202210-42",
                  tags: [
                     "vendor-advisory",
                     "x_transferred",
                  ],
                  url: "https://security.gentoo.org/glsa/202210-42",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://cert-portal.siemens.com/productcert/pdf/ssa-333517.pdf",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2022-12-13T00:00:00",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               url: "https://www.openwall.com/lists/oss-security/2022/03/24/1",
            },
            {
               url: "https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531",
            },
            {
               name: "[oss-security] 20220325 Re: zlib memory corruption on deflate (i.e. compress)",
               tags: [
                  "mailing-list",
               ],
               url: "http://www.openwall.com/lists/oss-security/2022/03/25/2",
            },
            {
               name: "[oss-security] 20220326 Re: zlib memory corruption on deflate (i.e. compress)",
               tags: [
                  "mailing-list",
               ],
               url: "http://www.openwall.com/lists/oss-security/2022/03/26/1",
            },
            {
               name: "DSA-5111",
               tags: [
                  "vendor-advisory",
               ],
               url: "https://www.debian.org/security/2022/dsa-5111",
            },
            {
               name: "[debian-lts-announce] 20220402 [SECURITY] [DLA 2968-1] zlib security update",
               tags: [
                  "mailing-list",
               ],
               url: "https://lists.debian.org/debian-lts-announce/2022/04/msg00000.html",
            },
            {
               name: "FEDORA-2022-413a80a102",
               tags: [
                  "vendor-advisory",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NS2D2GFPFGOJUL4WQ3DUAY7HF4VWQ77F/",
            },
            {
               name: "FEDORA-2022-dbd2935e44",
               tags: [
                  "vendor-advisory",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XOKFMSNQ5D5WGMALBNBXU3GE442V74WU/",
            },
            {
               name: "FEDORA-2022-12b89e2aad",
               tags: [
                  "vendor-advisory",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VOKNP2L734AEL47NRYGVZIKEFOUBQY5Y/",
            },
            {
               name: "[debian-lts-announce] 20220507 [SECURITY] [DLA 2993-1] libz-mingw-w64 security update",
               tags: [
                  "mailing-list",
               ],
               url: "https://lists.debian.org/debian-lts-announce/2022/05/msg00008.html",
            },
            {
               name: "20220516 APPLE-SA-2022-05-16-4 Security Update 2022-004 Catalina",
               tags: [
                  "mailing-list",
               ],
               url: "http://seclists.org/fulldisclosure/2022/May/33",
            },
            {
               name: "20220516 APPLE-SA-2022-05-16-3 macOS Big Sur 11.6.6",
               tags: [
                  "mailing-list",
               ],
               url: "http://seclists.org/fulldisclosure/2022/May/35",
            },
            {
               name: "20220516 APPLE-SA-2022-05-16-2 macOS Monterey 12.4",
               tags: [
                  "mailing-list",
               ],
               url: "http://seclists.org/fulldisclosure/2022/May/38",
            },
            {
               name: "FEDORA-2022-61cf1c64f6",
               tags: [
                  "vendor-advisory",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DF62MVMH3QUGMBDCB3DY2ERQ6EBHTADB/",
            },
            {
               url: "https://www.oracle.com/security-alerts/cpujul2022.html",
            },
            {
               url: "https://www.openwall.com/lists/oss-security/2022/03/28/3",
            },
            {
               url: "https://www.openwall.com/lists/oss-security/2022/03/28/1",
            },
            {
               url: "https://github.com/madler/zlib/compare/v1.2.11...v1.2.12",
            },
            {
               url: "https://github.com/madler/zlib/issues/605",
            },
            {
               url: "https://support.apple.com/kb/HT213257",
            },
            {
               url: "https://support.apple.com/kb/HT213256",
            },
            {
               url: "https://support.apple.com/kb/HT213255",
            },
            {
               url: "https://security.netapp.com/advisory/ntap-20220526-0009/",
            },
            {
               url: "https://security.netapp.com/advisory/ntap-20220729-0004/",
            },
            {
               name: "FEDORA-2022-3a92250fd5",
               tags: [
                  "vendor-advisory",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JZZPTWRYQULAOL3AW7RZJNVZ2UONXCV4/",
            },
            {
               name: "FEDORA-2022-b58a85e167",
               tags: [
                  "vendor-advisory",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DCZFIJBJTZ7CL5QXBFKTQ22Q26VINRUF/",
            },
            {
               name: "[debian-lts-announce] 20220916 [SECURITY] [DLA 3114-1] mariadb-10.3 security update",
               tags: [
                  "mailing-list",
               ],
               url: "https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html",
            },
            {
               name: "GLSA-202210-42",
               tags: [
                  "vendor-advisory",
               ],
               url: "https://security.gentoo.org/glsa/202210-42",
            },
            {
               url: "https://cert-portal.siemens.com/productcert/pdf/ssa-333517.pdf",
            },
         ],
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2018-25032",
      datePublished: "2022-03-25T00:00:00",
      dateReserved: "2022-03-25T00:00:00",
      dateUpdated: "2024-08-05T12:26:39.599Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

Vulnerability from csaf_opensuse

cve-2022-23437

Vulnerability from cvelistv5

cve-2022-24836

Vulnerability from cvelistv5

cve-2022-24839

Vulnerability from cvelistv5

cve-2018-25032

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature