MidnightBSD

Advisories for nokogiri

CVE-2012-6685 MEDIUM

Nokogiri before 1.5.4 is vulnerable to XXE attacks

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-776,

Products Affected

Vendor Product Version
redhat openstack_foreman -
redhat satellite 6.0
redhat enterprise_mrg 2.0
redhat openstack 4.0
nokogiri nokogiri *
redhat openshift 2.0
redhat openstack 6.0
redhat cloudforms_management_engine 5.0
redhat subscription_asset_manager -
CVE-2013-6460 MEDIUM

Nokogiri gem 1.5.x has Denial of Service via infinite loop when parsing XML documents

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-776,

Products Affected

Vendor Product Version
redhat satellite 6.0
redhat enterprise_mrg 2.0
redhat openstack 4.0
debian debian_linux 10.0
nokogiri nokogiri *
debian debian_linux 8.0
redhat openstack 3.0
debian debian_linux 9.0
redhat cloudforms_management_engine 5.0
redhat subscription_asset_manager -
CVE-2013-6461 MEDIUM

Nokogiri gem 1.5.x and 1.6.x has DoS while parsing XML entities by failing to apply limits

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-776,

Products Affected

Vendor Product Version
redhat satellite 6.0
redhat enterprise_mrg 2.0
redhat openstack 4.0
debian debian_linux 10.0
nokogiri nokogiri *
debian debian_linux 8.0
redhat openstack 3.0
debian debian_linux 9.0
redhat cloudforms_management_engine 5.0
redhat subscription_asset_manager -
CVE-2018-25032 MEDIUM

zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,CWE-787,

Products Affected

Vendor Product Version
siemens scalance_sc636-2c_firmware *
fedoraproject fedora 36
fedoraproject fedora 35
debian debian_linux 10.0
azul zulu 13.46
apple mac_os_x *
netapp management_services_for_element_software -
fedoraproject fedora 34
siemens scalance_sc622-2c_firmware *
netapp e-series_santricity_os_controller *
netapp h410s_firmware -
apple mac_os_x 10.15.7
azul zulu 7.52
debian debian_linux 9.0
siemens scalance_sc626-2c_firmware *
netapp h300s_firmware -
debian debian_linux 11.0
azul zulu 15.38
goto gotoassist *
nokogiri nokogiri *
zlib zlib *
azul zulu 6.45
azul zulu 8.60
azul zulu 11.54
siemens scalance_sc646-2c_firmware *
apple macos *
azul zulu 17.32
netapp h500s_firmware -
netapp h410c_firmware -
netapp active_iq_unified_manager -
netapp ontap_select_deploy_administration_utility -
siemens scalance_sc632-2c_firmware *
siemens scalance_sc642-2c_firmware *
mariadb mariadb *
netapp h700s_firmware -
netapp oncommand_workflow_automation -
python python *
netapp hci_compute_node -
CVE-2019-5477 HIGH

A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby's `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being called with unsafe user input as the filename. This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,CWE-78,

Products Affected

Vendor Product Version
canonical ubuntu_linux 16.04
debian debian_linux 10.0
canonical ubuntu_linux 18.04
nokogiri nokogiri *
debian debian_linux 8.0
canonical ubuntu_linux 19.04
canonical ubuntu_linux 19.10
CVE-2020-26247 MEDIUM

Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible. This is fixed in Nokogiri version 1.11.0.rc4.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4
security-advisories@github.com 2.6 LOW CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N 1.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-611,CWE-611,

Products Affected

Vendor Product Version
debian debian_linux 10.0
nokogiri nokogiri *
nokogiri nokogiri 1.11.0
debian debian_linux 9.0
CVE-2021-41098 MEDIUM

Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default. Users of Nokogiri on JRuby who parse untrusted documents using any of these classes are affected: Nokogiri::XML::SAX::Parse, Nokogiri::HTML4::SAX::Parser or its alias Nokogiri::HTML::SAX::Parser, Nokogiri::XML::SAX::PushParser, and Nokogiri::HTML4::SAX::PushParser or its alias Nokogiri::HTML::SAX::PushParser. JRuby users should upgrade to Nokogiri v1.12.5 or later to receive a patch for this issue. There are no workarounds available for v1.12.4 or earlier. CRuby users are not affected.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-611,

Products Affected

Vendor Product Version
nokogiri nokogiri *
CVE-2022-23476

Nokogiri is an open source XML and HTML library for the Ruby programming language. Nokogiri `1.13.8` and `1.13.9` fail to check the return value from `xmlTextReaderExpand` in the method `Nokogiri::XML::Reader#attribute_hash`. This can lead to a null pointer exception when invalid markup is being parsed. For applications using `XML::Reader` to parse untrusted inputs, this may potentially be a vector for a denial of service attack. Users are advised to upgrade to Nokogiri `>= 1.13.10`. Users may be able to search their code for calls to either `XML::Reader#attributes` or `XML::Reader#attribute_hash` to determine if they are affected.

Products Affected

Vendor Product Version
nokogiri nokogiri 1.13.9
nokogiri nokogiri 1.13.8
CVE-2022-24836 MEDIUM

Nokogiri is an open source XML and HTML library for Ruby. Nokogiri `< v1.13.4` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Users are advised to upgrade to Nokogiri `>= 1.13.4`. There are no known workarounds for this issue.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-400,CWE-1333,CWE-1333,

Products Affected

Vendor Product Version
apple macos *
fedoraproject fedora 36
fedoraproject fedora 35
debian debian_linux 10.0
nokogiri nokogiri *
fedoraproject fedora 34
debian debian_linux 9.0
CVE-2022-29181 MEDIUM

Nokogiri is an open source XML and HTML library for Ruby. Nokogiri prior to version 1.13.6 does not type-check all inputs into the XML and HTML4 SAX parsers, allowing specially crafted untrusted inputs to cause illegal memory access errors (segfault) or reads from unrelated memory. Version 1.13.6 contains a patch for this issue. As a workaround, ensure the untrusted input is a `String` by calling `#to_s` or equivalent.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 8.2 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H 3.9 4.2
nvd@nist.gov 8.2 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H 3.9 4.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-241,CWE-843,

Products Affected

Vendor Product Version
apple macos *
nokogiri nokogiri *