{"id":"BIT-drupal-2022-24729","summary":"Regular expression Denial of Service in dialog plugin","details":"CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. CKEditor4 prior to version 4.18.0 contains a vulnerability in the `dialog` plugin. The vulnerability allows abuse of a dialog input validator regular expression, which can cause a significant performance drop resulting in a browser tab freeze. A patch is available in version 4.18.0. There are currently no known workarounds.","aliases":["BIT-drupal-2022-24728","CVE-2022-24728","CVE-2022-24729","DRUPAL-CORE-2022-005","GHSA-4fc4-4p5g-6w89","GHSA-f6rf-9m92-x2hh"],"modified":"2025-12-10T23:41:01.388999Z","published":"2024-03-06T10:54:08.369Z","database_specific":{"severity":"High","cpes":["cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*"]},"references":[{"type":"WEB","url":"https://ckeditor.com/cke4/release/CKEditor-4.18.0"},{"type":"WEB","url":"https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-f6rf-9m92-x2hh"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VR76VBN5GW5QUBJFHVXRX36UZ6YTCMW6/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WOZGMCYDB2OKKULFXZKM6V7JJW4ZZHJP/"},{"type":"WEB","url":"https://www.drupal.org/sa-core-2022-005"},{"type":"WEB","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24729"}],"affected":[{"package":{"name":"drupal","ecosystem":"Bitnami","purl":"pkg:bitnami/drupal"},"ranges":[{"type":"SEMVER","events":[{"introduced":"8.0.0"},{"fixed":"9.2.15"},{"introduced":"9.3.0"},{"fixed":"9.3.8"}]}],"database_specific":{"source":"https://github.com/bitnami/vulndb/tree/main/data/drupal/BIT-drupal-2022-24729.json"},"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}],"schema_version":"1.7.3"}