CVE-2022-23517 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2022-23517

CVE-2022-23517

December 14, 2022

rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Certain configurations of rails-html-sanitizer < 1.4.4 use an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption. This issue has been patched in version 1.4.4.

Affected Packages

rails-html-sanitizer (RUBY):

Affected version(s) >=1.0.0 <1.4.4

Fix Suggestion:

Update to version 1.4.4

Related Resources (10)

https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/23xxx/CVE-2022-23517.json

https://github.com/rails/rails-html-sanitizer/commit/56c61c0cebd1e493e8ad7bca2a0191609a4a6979

https://lists.debian.org/debian-lts-announce/2024/09/msg00045.html

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2022-23517.yml

https://github.com/rails/rails-html-sanitizer

https://nvd.nist.gov/vuln/detail/CVE-2022-23517