CVE-2022-29577 Overview
CVE-2022-29577 is a Cross-Site Scripting (XSS) vulnerability affecting OWASP AntiSamy before version 1.6.7. The vulnerability allows attackers to inject malicious scripts via HTML tag smuggling on STYLE content with crafted input. The output serializer does not properly encode the supposed Cascading Style Sheets (CSS) content, enabling XSS attacks that bypass AntiSamy's sanitization mechanisms. This issue exists because of an incomplete fix for CVE-2022-28367.
Critical Impact
Applications using vulnerable versions of AntiSamy for HTML sanitization may be susceptible to XSS attacks, allowing attackers to execute arbitrary JavaScript in users' browsers, potentially leading to session hijacking, credential theft, or malicious actions performed on behalf of authenticated users.
Affected Products
- OWASP AntiSamy versions prior to 1.6.7
- Oracle Enterprise Manager Base Platform versions 13.4.0.0 and 13.5.0.0
- Oracle WebLogic Server versions 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0
Discovery Timeline
- April 21, 2022 - CVE-2022-29577 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2022-29577
Vulnerability Analysis
This vulnerability stems from improper encoding of CSS content within STYLE tags during the HTML sanitization process. OWASP AntiSamy is a Java library designed to sanitize HTML input to prevent XSS attacks. However, in versions prior to 1.6.7, the output serializer fails to properly encode CSS content, creating an opportunity for attackers to smuggle malicious HTML tags within STYLE elements.
The vulnerability represents an incomplete fix for the previously disclosed CVE-2022-28367. While the initial patch addressed certain aspects of the tag smuggling technique, it did not fully remediate all attack vectors, allowing sophisticated payloads to still bypass the sanitization logic.
Root Cause
The root cause lies in the AntiSamyDOMScanner.java class, specifically in how child nodes within style tags are processed. The vulnerability occurs because the child node count was being recalculated during iteration, which could lead to improper handling of STYLE tag content. When processing style elements, the scanner failed to properly track and remove child nodes that contained smuggled HTML content, allowing malicious payloads to survive the sanitization process.
Attack Vector
The attack vector is network-based and requires user interaction. An attacker can craft malicious input containing specially formatted STYLE content that exploits the improper encoding in the output serializer. When this input passes through AntiSamy's sanitization and is subsequently rendered in a victim's browser, the smuggled HTML tags execute, resulting in XSS. The attack typically targets web applications that accept user-generated HTML content and rely on AntiSamy for sanitization.
CssScanner styleScanner = new CssScanner(policy, messages, policy.isEmbedStyleSheets());
try {
- if (ele.getChildNodes().getLength() > 0) {
+ int childNodesCount = ele.getChildNodes().getLength();
+ if (childNodesCount > 0) {
StringBuffer toScan = new StringBuffer();
for (int i = 0; i < ele.getChildNodes().getLength(); i++) {
Source: GitHub Commit
The patch captures the child node count before iteration begins, preventing issues that arise from the collection being modified during processing.
Detection Methods for CVE-2022-29577
Indicators of Compromise
- Unusual STYLE tag content in user-submitted HTML that contains HTML-like structures or encoded characters
- Web application logs showing attempts to inject malformed CSS content with embedded script fragments
- Browser console errors indicating unexpected script execution from sanitized content
Detection Strategies
- Implement web application firewall (WAF) rules to detect HTML tag smuggling patterns within STYLE elements
- Monitor application logs for unusual STYLE content submissions containing angle brackets or script-related keywords
- Conduct periodic dependency scans to identify applications using AntiSamy versions prior to 1.6.7
- Deploy content security policy (CSP) headers to detect and report unexpected inline script execution
Monitoring Recommendations
- Enable verbose logging for HTML sanitization operations to capture suspicious input patterns
- Monitor client-side error reporting for unexpected JavaScript execution in user-generated content areas
- Track dependency versions across your application portfolio using software composition analysis (SCA) tools
- Implement real-time alerting for CSP violation reports that may indicate attempted XSS exploitation
How to Mitigate CVE-2022-29577
Immediate Actions Required
- Upgrade OWASP AntiSamy to version 1.6.7 or later immediately across all affected applications
- For Oracle products, apply the patches referenced in the Oracle Security Alert July 2022
- Review and audit any applications that process user-submitted HTML content for potential exposure
- Implement defense-in-depth measures including Content Security Policy (CSP) headers to mitigate XSS impact
Patch Information
The vulnerability has been patched in AntiSamy version 1.6.7. The fix properly handles child node counting during style tag processing to prevent HTML tag smuggling. The patch commit is available in the AntiSamy GitHub repository. For Oracle products, patches are available through the Oracle Critical Patch Update July 2022.
Workarounds
- If immediate patching is not possible, implement additional input validation layers before content reaches AntiSamy
- Deploy strict Content Security Policy headers to prevent execution of any inline scripts
- Consider temporarily disabling STYLE tag acceptance in AntiSamy policy configuration until upgrade is complete
- Implement output encoding as an additional layer when rendering AntiSamy-sanitized content
# Maven dependency update example
# Update your pom.xml to use the patched version:
# <dependency>
# <groupId>org.owasp.antisamy</groupId>
# <artifactId>antisamy</artifactId>
# <version>1.6.7</version>
# </dependency>
# Verify the upgrade with:
mvn dependency:tree | grep antisamy
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
