SCA: security update for loofah (GHSA-3x8r-x6xp-q4vm)

high Tenable Self-Hosted Container Security Plugin ID 409762

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on
top of Nokogiri. Loofah >= 2.2.0, < 2.19.1 uses recursion for sanitizing CDATA sections, making it
susceptible to stack exhaustion and raising a SystemStackError exception. This may lead to a denial of
service through CPU resource consumption. This issue is patched in version 2.19.1. Users who are unable to
upgrade may be able to mitigate this vulnerability by limiting the length of the strings that are
sanitized. (CVE-2022-23516)

See Also

https://github.com/advisories/GHSA-3x8r-x6xp-q4vm

Plugin Details

Severity: High

ID: 409762

Version: Revision 1.8

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.18

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2022-23516

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 12/13/2022

Vulnerability Publication Date: 12/13/2022

Reference Information

CVE: CVE-2022-23516

cwe: CWE-674