Nokogiri (鋸) makes it easy and painless to work with XML and HTML from Ruby. It provides a
sensible, easy-to-understand API for reading, writing, modifying, and querying documents. It is
fast and standards-compliant by relying on native parsers like libxml2 (C) and xerces (Java).
An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.
Mend Note: This vulnerability does not affect RubyGem's Nokogiri directly, but its dependency libxml2, which is downloaded during Nokogiri's depndency resolution.
CVE-2024-34459 - High Severity Vulnerability
Vulnerable Library - nokogiri-1.11.7.gem
Nokogiri (鋸) makes it easy and painless to work with XML and HTML from Ruby. It provides a sensible, easy-to-understand API for reading, writing, modifying, and querying documents. It is fast and standards-compliant by relying on native parsers like libxml2 (C) and xerces (Java).
Library home page: https://rubygems.org/gems/nokogiri-1.11.7.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /Gemfile.lock
Dependency Hierarchy: - :x: **nokogiri-1.11.7.gem** (Vulnerable Library)
Found in HEAD commit: 3a3902efe3788aa4f5410d439175653e42f854e6
Found in base branch: main
Vulnerability Details
An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c. Mend Note: This vulnerability does not affect RubyGem's Nokogiri directly, but its dependency libxml2, which is downloaded during Nokogiri's depndency resolution.
Publish Date: 2024-05-13
URL: CVE-2024-34459
CVSS 3 Score Details (7.5)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://github.com/advisories/GHSA-r95h-9x8f-r3f7
Release Date: 2024-05-14
Fix Resolution: libxml2-v2.11.8,v2.12.7, nokogiri - 1.16.5
Step up your Open Source Security Game with Mend here