CVE-2022-4891: 
Ruby vulnerability analysis and mitigation

A vulnerability (CVE-2022-4891) was discovered in Sisimai versions up to 4.25.14p11, specifically affecting the to_plain function in the lib/sisimai/string.rb file. The vulnerability was disclosed on January 16, 2023, and was classified as a Regex Denial of Service (ReDoS) issue (VulDB).

The vulnerability is classified as CWE-1333, where the product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles. The issue was specifically found in the to_plain function's regex pattern that could be exploited to cause denial of service through regex processing (GitHub PR).

The vulnerability affects the availability of the system by potentially causing excessive CPU consumption through regex processing. When exploited, it can lead to a denial of service condition when processing certain HTML email body content (VulDB).

The vulnerability has been fixed in Sisimai version 4.25.14p12. Users are recommended to upgrade to this version or apply the patch with commit ID 51fe2e6521c9c02b421b383943dc9e4bbbe65d4e. The fix involves modifying the regex pattern in the to_plain function to prevent the denial of service condition (GitHub Commit).