ckeditor ckeditor CVE-2022-24729 vulnerability in Ckeditor and Other Products
Published on March 16, 2022

Regular expression Denial of Service in dialog plugin

product logo product logo product logo product logo
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. CKEditor4 prior to version 4.18.0 contains a vulnerability in the `dialog` plugin. The vulnerability allows abuse of a dialog input validator regular expression, which can cause a significant performance drop resulting in a browser tab freeze. A patch is available in version 4.18.0. There are currently no known workarounds.

Vendor Advisory Vendor Advisory NVD

Vulnerability Analysis

CVE-2022-24729 can be exploited with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality Impact:
NONE
Integrity Impact:
NONE
Availability Impact:
HIGH

Weakness Type

What is a Resource Exhaustion Vulnerability?

The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

CVE-2022-24729 has been classified to as a Resource Exhaustion vulnerability or weakness.


Products Associated with CVE-2022-24729

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2022-24729 are published in these products:

Ckeditor
 
Drupal
 
Oracle Peoplesoft Enterprise Peopletools
 
Oracle Commerce Merchandising
 
Oracle Financial Services Trade Based Anti Money Laundering
 
Fedora Project Fedora
 
Oracle Financial Services Analytical Applications Infrastructure
 
Oracle Application Express
 
Oracle Financial Services Behavior Detection Platform
 

Affected Versions

ckeditor4 Version < 4.18.0 is affected by CVE-2022-24729

Exploit Probability

EPSS
0.86%
Percentile
74.65%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.