CVE-2022-24839: 
Java vulnerability analysis and mitigation

org.cyberneko.html is an HTML parser written in Java. The fork of org.cyberneko.html used by Nokogiri (Rubygem) raises a java.lang.OutOfMemoryError exception when parsing ill-formed HTML markup. This vulnerability was discovered in April 2022 and affects versions prior to 1.9.22.noko2. Note that the upstream library org.cyberneko.html is no longer maintained, and this CVE applies only to Nokogiri's fork located at https://github.com/sparklemotion/nekohtml (GitHub Advisory).

The vulnerability is classified as CWE-400 (Uncontrolled Resource Consumption) with a CVSS v3.1 Base Score of 7.5 HIGH. The attack vector is Network-based (AV:N), with Low attack complexity (AC:L), requiring No privileges (PR:N), No user interaction (UI:N), having an Unchanged scope (S:U), and primarily affecting system Availability (A:H) while having No impact on Confidentiality (C:N) or Integrity (I:N) (GitHub Advisory).

When exploited, this vulnerability can lead to a Denial of Service condition through uncontrolled resource consumption, specifically triggering a java.lang.OutOfMemoryError exception when processing malformed HTML markup. This can potentially affect the availability of systems using the vulnerable versions of the library (GitHub Advisory).

Users are advised to upgrade to version 1.9.22.noko2 or later to address this vulnerability. The fix has been implemented in the Nokogiri fork of the library, as demonstrated in the patch commit (GitHub Patch, GitHub Advisory).

The vulnerability has been acknowledged and addressed by various organizations, including Oracle who included patches for this vulnerability in their July 2022 Critical Patch Update (Oracle CPU). The vulnerability was reported by 이형관 (windshock) through responsible disclosure channels (GitHub Advisory).