CVE-2023-34623: 
Linux Debian vulnerability analysis and mitigation

An issue was discovered in jtidy through version r938 that allows attackers to cause a denial of service or other unspecified impacts via crafted objects that use cyclic dependencies. The vulnerability was assigned CVE-2023-34623 and was publicly disclosed on June 14, 2023 (NVD).

The vulnerability is related to the HTML parsing functionality in jtidy, where processing untrusted HTML input can lead to a stack overflow error. The issue occurs when parsing deeply nested HTML structures, which can cause the parser to crash due to recursive processing. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H and is classified as CWE-787 (Out-of-bounds Write) (NVD).

When exploited, this vulnerability can lead to denial of service conditions by causing the application to crash through stack overflow errors. The impact primarily affects the availability of systems using the jtidy library to process HTML content (GitHub Issue).

While no official patch has been released, suggested mitigations include implementing depth tracking during parsing and setting maximum depth thresholds, similar to solutions implemented in other parsers like jackson-databind and GSON. Another approach is to modify the recursive processing to use stack-based iteration instead (GitHub Issue).