Linux Distros Unpatched Vulnerability : CVE-2022-28366

🗓️ 05 Mar 2025 00:00:00Reported by TenableType

Vulnerability CVE-2022-28366 affects Linux/Unix packages with no vendor patch available.

Reporter	Title	Published	Views	Family All 149
IBM Security Bulletins	Security Bulletin: IBM PowerVM Novalink is vulnerable because IBM WebSphere Application Server Liberty vulnerable because Sparkle Motion Nokogiri is vulnerable to a denial of service, (CVE-2022-24839)	8 Dec 202206:04	–	ibm
IBM Security Bulletins	Security Bulletin: Security vulnerabilities have been fixed in IBM Security Verify Governance, Identity Manager virtual appliance component	21 Dec 202221:22	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Security Verify Governance is vulnerable to denial of service (CVE-2022-24839)	20 Apr 202310:45	–	ibm
IBM Security Bulletins	Security Bulletin: The IBM® Engineering Lifecycle Management products recommendation for Denial of Service due to Neko HTML in WebSphere Application Server Liberty (CVE-2022-24839)	3 Nov 202213:37	–	ibm
IBM Security Bulletins	Security Bulletin: IBM WebSphere Application Server Liberty, which is bundled with IBM Cloud Pak for Applications, is vulnerable to a Denial of Service due to Neko HTML (CVE-2022-24839)	30 Sep 202218:54	–	ibm
IBM Security Bulletins	Security Bulletin: IBM WebSphere Application Server Liberty for IBM i is vulnerable to HTTP header injection and affected by denial of services due to multiple vulnerabilities.	2 Feb 202304:08	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Sterling Control Center is vulnerable to denial of service due to Websphere Liberty (CVE-2022-24839)	23 Nov 202221:32	–	ibm
IBM Security Bulletins	Security Bulletin: IBM MQ is affected by a denial of service issue in IBM WebSphere Application Server Liberty (CVE-2022-24839)	3 Nov 202212:47	–	ibm
IBM Security Bulletins	Security Bulletin: IBM QRadar SIEM includes components with known vulnerabilities	26 Mar 202503:39	–	ibm
IBM Security Bulletins	Security Bulletin: Mutiple Vulnerabilties Affecting Watson Machine Learning Accelerator on Cloud Pak for Data version	13 Nov 202315:22	–	ibm

Source	Link
security-tracker	www.security-tracker.debian.org/tracker/CVE-2022-28366
ubuntu	www.ubuntu.com/security/CVE-2022-28366
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(224635);
  script_version("1.8");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/05/21");

  script_cve_id("CVE-2022-28366");

  script_name(english:"Linux Distros Unpatched Vulnerability : CVE-2022-28366");

  script_set_attribute(attribute:"synopsis", value:
"The Linux/Unix host has one or more packages installed with a vulnerability that the vendor indicates will not be
patched.");
  script_set_attribute(attribute:"description", value:
"The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied
patch available.

  - Certain Neko-related HTML parsers allow a denial of service via crafted Processing Instruction (PI) input
    that causes excessive heap memory consumption. In particular, this issue exists in HtmlUnit-Neko through
    2.26, and is fixed in 2.27. This issue also exists in CyberNeko HTML through 1.9.22 (also affecting OWASP
    AntiSamy before 1.6.6), but 1.9.22 is the last version of CyberNeko HTML. NOTE: this may be related to
    CVE-2022-24839. (CVE-2022-28366)

Note that Nessus relies on the presence of the package as reported by the vendor.");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-28366");
  script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/CVE-2022-28366");
  script_set_attribute(attribute:"solution", value:
"There is no known solution at this time.");
  script_set_attribute(attribute:"agent", value:"unix");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:U/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:U/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-28366");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"vendor_unpatched", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2022/04/21");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/03/05");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:20.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:22.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:24.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:25.04");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:25.10");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:11.0");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:12.0");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libowasp-antisamy-java");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libowasp-antisamy-java");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2025-2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("set_linux_os_id.nasl", "ssh_get_info2.nasl");
  script_require_keys("Host/OS/identifier", "Host/cpu", "Host/local_checks_enabled", "global_settings/vendor_unpatched");
  script_require_ports("Host/OS/Debian Linux-11", "Host/OS/Debian Linux-12", "Host/OS/Ubuntu Linux-16.04", "Host/OS/Ubuntu Linux-18.04", "Host/OS/Ubuntu Linux-20.04", "Host/OS/Ubuntu Linux-22.04", "Host/OS/Ubuntu Linux-24.04", "Host/OS/Ubuntu Linux-25.04", "Host/OS/Ubuntu Linux-25.10");

  exit(0);
}

if (!get_kb_item("global_settings/vendor_unpatched")) exit(0, "Unpatched Vulnerabilities Detection not active.");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (empty_or_null(get_one_kb_item("Host/Debian/dpkg-l"))) audit(AUDIT_PACKAGE_LIST_MISSING);

include('linux_unpatched.inc');

var distro_constraints_array = {
  "Debian Linux-11": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "11",
        "pkgs": [
          {"reference": "libowasp-antisamy-java"},
          {"reference": "libowasp-antisamy-java-doc"}
        ]
      }
    ]
  },
  "Debian Linux-12": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "12",
        "pkgs": [
          {"reference": "libowasp-antisamy-java"},
          {"reference": "libowasp-antisamy-java-doc"}
        ]
      }
    ]
  },
  "Ubuntu Linux-16.04": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "16.04",
        "pkgs": [
          {"reference": "libowasp-antisamy-java"}
        ]
      }
    ]
  },
  "Ubuntu Linux-18.04": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "18.04",
        "pkgs": [
          {"reference": "libowasp-antisamy-java"}
        ]
      }
    ]
  },
  "Ubuntu Linux-20.04": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "20.04",
        "pkgs": [
          {"reference": "libowasp-antisamy-java"}
        ]
      }
    ]
  },
  "Ubuntu Linux-22.04": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "22.04",
        "pkgs": [
          {"reference": "libowasp-antisamy-java"}
        ]
      }
    ]
  },
  "Ubuntu Linux-24.04": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "24.04",
        "pkgs": [
          {"reference": "libowasp-antisamy-java"}
        ]
      }
    ]
  },
  "Ubuntu Linux-25.04": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "25.04",
        "pkgs": [
          {"reference": "libowasp-antisamy-java"}
        ]
      }
    ]
  },
  "Ubuntu Linux-25.10": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "25.10",
        "pkgs": [
          {"reference": "libowasp-antisamy-java"}
        ]
      }
    ]
  }
};

var distro_constraints_values = linux_unpatched::get_distro_constraints(distro_constraints_arr:distro_constraints_array);
if (empty_or_null(distro_constraints_values)) audit(AUDIT_HOST_NOT, 'affected');
var report = linux_unpatched::check_unpatched_constraints(distro_constraints_values:distro_constraints_values);

if (!empty_or_null(report))
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : report
  );
  exit(0);
}
else
{
  audit(AUDIT_HOST_NOT, 'affected');
}

21 May 2026 00:00Current

6.8Medium risk

Vulners AI Score6.8

CVSS 25

CVSS 3.17.5

EPSS0.00454

SSVC

linux unix vulnerability package denial of service heap memory consumption