Search for vulnerabilities
Vulnerability details: VCID-9yzd-3psv-aaan
Vulnerability ID VCID-9yzd-3psv-aaan
Aliases CVE-2022-23514
GHSA-486f-hjj9-9vhh
GMS-2022-8289
Summary Inefficient Regular Expression Complexity in Loofah
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-1333 Inefficient Regular Expression Complexity
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 7.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23514.json
epss 0.00121 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00121 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00121 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00121 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00121 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00121 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00121 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00121 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00121 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00121 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00121 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00121 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00121 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00121 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00121 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.002 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.002 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00224 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00224 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00224 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00246 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00246 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00246 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00246 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00246 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00246 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00246 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00246 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00246 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00246 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00246 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00246 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00246 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00246 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00246 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00246 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00246 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00246 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00246 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00246 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00246 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00246 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00246 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00246 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00246 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00246 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00246 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00246 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00246 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00246 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00246 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00246 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00246 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00246 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00246 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00246 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00246 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00246 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00246 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00246 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00246 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00246 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00246 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00246 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00246 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00246 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00246 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00246 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00246 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00275 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00275 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00275 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00275 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00275 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00275 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00275 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00275 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00275 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00275 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00275 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00275 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00275 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00275 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00275 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00275 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00299 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00781 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
cvssv3.1 7.5 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-486f-hjj9-9vhh
cvssv3.1 7.5 https://github.com/flavorjones/loofah
generic_textual HIGH https://github.com/flavorjones/loofah
cvssv3.1 7.5 https://github.com/flavorjones/loofah/commit/a6e0a1ab90675a17b1b2be189129d94139e4b143
generic_textual HIGH https://github.com/flavorjones/loofah/commit/a6e0a1ab90675a17b1b2be189129d94139e4b143
cvssv3.1 7.5 https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh
cvssv3.1_qr HIGH https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh
ssvc Track https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh
cvssv3.1 7.5 https://hackerone.com/reports/1684163
generic_textual HIGH https://hackerone.com/reports/1684163
ssvc Track https://hackerone.com/reports/1684163
cvssv3.1 7.5 https://lists.debian.org/debian-lts-announce/2023/09/msg00011.html
generic_textual HIGH https://lists.debian.org/debian-lts-announce/2023/09/msg00011.html
ssvc Track https://lists.debian.org/debian-lts-announce/2023/09/msg00011.html
cvssv3 7.5 https://nvd.nist.gov/vuln/detail/CVE-2022-23514
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2022-23514
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23514.json
https://api.first.org/data/v1/epss?cve=CVE-2022-23514
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23514
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/flavorjones/loofah
https://github.com/flavorjones/loofah/commit/a6e0a1ab90675a17b1b2be189129d94139e4b143
https://hackerone.com/reports/1684163
https://lists.debian.org/debian-lts-announce/2023/09/msg00011.html
1026083 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1026083
2153234 https://bugzilla.redhat.com/show_bug.cgi?id=2153234
cpe:2.3:a:loofah_project:loofah:*:*:*:*:*:ruby:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:loofah_project:loofah:*:*:*:*:*:ruby:*:*
CVE-2022-23514 https://nvd.nist.gov/vuln/detail/CVE-2022-23514
CVE-2022-23514.YML https://github.com/rubysec/ruby-advisory-db/blob/master/gems/loofah/CVE-2022-23514.yml
GHSA-486f-hjj9-9vhh https://github.com/advisories/GHSA-486f-hjj9-9vhh
GHSA-486f-hjj9-9vhh https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh
RHSA-2023:2097 https://access.redhat.com/errata/RHSA-2023:2097
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23514.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/flavorjones/loofah
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/flavorjones/loofah/commit/a6e0a1ab90675a17b1b2be189129d94139e4b143
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-21T14:49:18Z/ Found at https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://hackerone.com/reports/1684163
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-21T14:49:18Z/ Found at https://hackerone.com/reports/1684163
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://lists.debian.org/debian-lts-announce/2023/09/msg00011.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-21T14:49:18Z/ Found at https://lists.debian.org/debian-lts-announce/2023/09/msg00011.html
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2022-23514
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2022-23514
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.47422
EPSS Score 0.00121
Published At Nov. 1, 2024, midnight
Date Actor Action Source VulnerableCode Version
There are no relevant records.