CVE-2022-28366: 
Java vulnerability analysis and mitigation

Certain Neko-related HTML parsers were found to be vulnerable to a denial of service attack through crafted Processing Instruction (PI) input that causes excessive heap memory consumption. This vulnerability, identified as CVE-2022-28366, specifically affects HtmlUnit-Neko through version 2.26 and CyberNeko HTML through version 1.9.22. The vulnerability also impacts OWASP AntiSamy versions before 1.6.6 (NVD CVE).

The vulnerability has been assigned a CVSS v3.1 Base Score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The attack can be executed remotely and requires no privileges or user interaction. The vulnerability specifically targets the HTML parsing functionality when processing PI input, leading to excessive heap memory consumption (NVD CVE).

When successfully exploited, this vulnerability can lead to a denial of service condition through excessive heap memory consumption. The impact is limited to availability, with no direct effect on confidentiality or integrity of the system (NVD CVE).

For HtmlUnit-Neko users, upgrading to version 2.27 or later is recommended. For OWASP AntiSamy users, upgrading to version 1.6.6 or later is necessary. Note that CyberNeko HTML users should be aware that version 1.9.22 is the last version of that library, and migration to alternative solutions may be required (AntiSamy Release).

The vulnerability has been acknowledged and addressed by multiple organizations. Notably, Atlassian has included this vulnerability in their December 2023 Security Bulletin, affecting their Jira Service Management Data Center and Server products (Atlassian Bulletin).