{
  "threat_severity" : "Moderate",
  "public_date" : "2022-12-13T00:00:00Z",
  "bugzilla" : {
    "description" : "rubygem-loofah: inefficient regular expression leading to denial of service",
    "id" : "2153234",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2153234"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-1333",
  "details" : [ "Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri. Loofah < 2.19.1 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption. This issue is patched in version 2.19.1.", "An inefficient regular expression vulnerability was found in rubygem loofah. While sanitizing certain SVG attributes, loofah is susceptible to excessive backtracking, which can result in a denial of service through CPU resource consumption." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Satellite 6.13 for RHEL 8",
    "release_date" : "2023-05-03T00:00:00Z",
    "advisory" : "RHSA-2023:2097",
    "cpe" : "cpe:/a:redhat:satellite:6.13::el8",
    "package" : "satellite:el8/rubygem-loofah-0:2.19.1-1.el8sat"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat 3scale API Management Platform 2",
    "fix_state" : "Will not fix",
    "package_name" : "3scale-amp-zync-container",
    "cpe" : "cpe:/a:redhat:red_hat_3scale_amp:2"
  }, {
    "product_name" : "Red Hat Satellite 6",
    "fix_state" : "Out of support scope",
    "package_name" : "tfm-ror51-rubygem-loofah",
    "cpe" : "cpe:/a:redhat:satellite:6"
  }, {
    "product_name" : "Red Hat Satellite 6",
    "fix_state" : "Out of support scope",
    "package_name" : "tfm-ror52-rubygem-loofah",
    "cpe" : "cpe:/a:redhat:satellite:6"
  }, {
    "product_name" : "Red Hat Satellite 6",
    "fix_state" : "Affected",
    "package_name" : "tfm-rubygem-loofah",
    "cpe" : "cpe:/a:redhat:satellite:6"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-23514\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-23514\nhttps://github.com/rubysec/ruby-advisory-db/tree/master/gems/loofah/CVE-2022-23514.yml" ],
  "name" : "CVE-2022-23514",
  "csaw" : false
}