CVE-2023-34624: 
Java vulnerability analysis and mitigation

CVE-2023-34624 is a security vulnerability discovered in htmlcleaner through version 2.28. The vulnerability was disclosed on June 14, 2023, affecting the Java HTML parser library. The issue allows attackers to cause a denial of service or other unspecified impacts via crafted objects that use cyclic dependencies (NVD, CVE).

The vulnerability has a CVSS v3.1 Base Score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The issue manifests as a StackOverflowError when parsing untrusted HTML strings with deeply nested elements, leading to recursive processing that exceeds the stack depth (GitHub Issue, NVD).

When exploited, the vulnerability can cause a denial of service through a StackOverflowError if the parser runs on user-supplied input containing deeply nested HTML elements. This can potentially crash the application processing the HTML content (Debian LTS).

The issue has been addressed by introducing a new nesting depth limit which can be overridden in cleaner properties. Fixed versions are available in various distributions: Debian 10 (Buster) version 2.21-5+deb10u1, Debian 11 (Bullseye) version 2.24-1+deb11u1, and Debian 12 (Bookworm) version 2.26-1+deb12u1 (Debian Security, Debian LTS).