Vulnerability Name:

CVE-2022-24839 (CCN-224089)

Assigned:2022-04-11
Published:2022-04-11
Updated:2023-02-23
Summary:Sparkle Motion Nokogiri is vulnerable to a denial of service, caused by a java.lang.OutOfMemoryError exception when parsing ill-formed HTML markup in the fork of org.cyberneko.html. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Complete
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2022-24839

Source: XF
Type: UNKNOWN
sparklemotion-cve202224839-dos(224089)

Source: security-advisories@github.com
Type: Patch
security-advisories@github.com

Source: CCN
Type: nekohtml GIT Repository
Uncontrolled Resource Consumption in org.cyberneko.html (nokogiri fork)

Source: security-advisories@github.com
Type: Vendor Advisory
security-advisories@github.com

Source: CCN
Type: IBM Security Bulletin 6824871 (WebSphere Application Server Liberty)
IBM WebSphere Application Server Liberty is vulnerable to a Denial of Service due to Neko HTML (CVE-2022-24839)

Source: CCN
Type: IBM Security Bulletin 6831335 (Voice Gateway)
Multiple Security Vulnerabilities in IBM WebSphere Liberty affects IBM Voice Gateway

Source: CCN
Type: IBM Security Bulletin 6831813 (Netcool Operations Insight)
Netcool Operations Insight v1.6.6 contains fixes for multiple security vulnerabilities.

Source: CCN
Type: IBM Security Bulletin 6832378 (Liberty for Java)
Liberty for Java for IBM Cloud is vulnerable to a Denial of Service due to Neko HTML (CVE-2022-24839)

Source: CCN
Type: IBM Security Bulletin 6832400 (Watson Assistant for Cloud Pak for data)
IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to WebSphere Application Server Liberty Denial of Service due to Neko HTML (CVE-2022-24839)

Source: CCN
Type: IBM Security Bulletin 6832450 (TXSeries for Multiplatforms)
A vulnerability (CVE-2022-24839) in WebSphere Application Server Liberty affects IBM TXSeries for Multiplatforms

Source: CCN
Type: IBM Security Bulletin 6832808 (CICS TX Advanced)
A vulnerability (CVE-2022-24839) in WebSphere Application Server Liberty affects IBM CICS TX Advanced

Source: CCN
Type: IBM Security Bulletin 6832906 (CICS TX Standard)
A vulnerability (CVE-2022-24839) in WebSphere Application Server Liberty affects IBM CICS TX Standard

Source: CCN
Type: IBM Security Bulletin 6836859 (MQ)
IBM MQ is affected by a denial of service issue in IBM WebSphere Application Server Liberty (CVE-2022-24839)

Source: CCN
Type: IBM Security Bulletin 6840931 (Watson Discovery)
IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in WebSphere Application Server Liberty

Source: CCN
Type: IBM Security Bulletin 6841271 (Sterling Control Center)
IBM Sterling Control Center is vulnerable to denial of service due to Websphere Liberty (CVE-2022-24839)

Source: CCN
Type: IBM Security Bulletin 6846167 (PowerVM NovaLink)
IBM PowerVM Novalink is vulnerable because IBM WebSphere Application Server Liberty vulnerable because Sparkle Motion Nokogiri is vulnerable to a denial of service, (CVE-2022-24839)

Source: CCN
Type: IBM Security Bulletin 6846257 (Cloud Transformation Advisor)
IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6847349 (Tivoli Netcool Impact)
Multiple vulnerabilities have been identified in IBM WebSphere Application Server Liberty shipped with IBM Tivoli Netcool Impact (CVE-2022-24839, CVE-2022-37734, CVE-2022-34165)

Source: CCN
Type: IBM Security Bulletin 6850847 (Security Identity Manager)
Security vulnerabilities have been fixed in IBM Security Verify Governance, Identity Manager virtual appliance component

Source: CCN
Type: IBM Security Bulletin 6852615 (Security Verify Governance)
IBM Security Verify Governance is vulnerable to multiple vulnerabilities due to use of IBM WebSphere Application Server Liberty (CVE-2022-34165, CVE-2022-24839)

Source: CCN
Type: IBM Security Bulletin 6852649 (Robotic Process Automation)
A vulnerability in IBM Java may affect IBM Robotic Process Automation and result in a denial of servce (CVE-2022-24839)

Source: CCN
Type: IBM Security Bulletin 6921285 (i)
IBM WebSphere Application Server Liberty for IBM i is vulnerable to HTTP header injection and affected by denial of services due to multiple vulnerabilities.

Source: CCN
Type: Oracle CPUJul2022
Oracle Critical Patch Update Advisory - July 2022

Source: security-advisories@github.com
Type: Patch, Third Party Advisory
security-advisories@github.com

Vulnerable Configuration:Configuration CCN 1:
  • cpe:/o:ibm:i:7.2:*:*:*:*:*:*:*
  • OR cpe:/o:ibm:i:7.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_netcool/impact:7.1.0:*:*:*:*:*:*:*
  • OR cpe:/o:ibm:i:7.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:mq:9.1.0:*:*:*:continuous_delivery:*:*:*
  • OR cpe:/a:ibm:voice_gateway:1.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:voice_gateway:1.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_transformation_advisor:2.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:17.0.0.3:*:*:*:liberty:*:*:*
  • OR cpe:/a:ibm:voice_gateway:1.0.2.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:voice_gateway:1.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:txseries:8.2.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:txseries:8.2.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:txseries:9.1.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:voice_gateway:1.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:voice_gateway:1.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:mq:9.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:voice_gateway:1.0.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:txseries:9.1.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation:21.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation:21.0.2:*:*:*:*:*:*:*
  • OR cpe:/o:ibm:i:7.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cics_tx:11.1:*:*:*:standard:*:*:*
  • OR cpe:/a:ibm:cics_tx:11.1:*:*:*:advanced:*:*:*
  • OR cpe:/a:ibm:security_verify_governance:10.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation:21.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation:21.0.4:*:*:*:*:*:*:*

  • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:8043
    P
    nekohtml-1.9.22.noko2-150200.3.4.4 on GA media (Moderate)
    2023-06-20
    BACK
    ibm i 7.2
    ibm i 7.3
    oracle weblogic server 12.2.1.3.0
    ibm tivoli netcool/impact 7.1.0
    ibm i 7.4
    ibm mq 9.1.0
    ibm voice gateway 1.0.2
    ibm voice gateway 1.0.3
    ibm cloud transformation advisor 2.0.1
    ibm websphere application server 17.0.0.3
    ibm voice gateway 1.0.2.4
    ibm voice gateway 1.0.4
    ibm txseries 8.2.0.0
    ibm txseries 8.2.0.2
    ibm txseries 9.1.0.0
    ibm voice gateway 1.0.5
    ibm voice gateway 1.0.6
    ibm mq 9.2.0
    ibm voice gateway 1.0.7
    ibm txseries 9.1.0.2
    ibm robotic process automation 21.0.1
    ibm robotic process automation 21.0.2
    ibm i 7.5
    ibm cics tx 11.1
    ibm cics tx 11.1
    ibm security verify governance 10.0
    ibm robotic process automation 21.0.3
    ibm robotic process automation 21.0.4