ChoeMinji / rails-7.0.0.alpha2

MIT License
0 stars 0 forks source link

CVE-2024-34459 (High) detected in nokogiri-1.11.7.gem #122

Open mend-bolt-for-github[bot] opened 4 months ago

mend-bolt-for-github[bot] commented 4 months ago

CVE-2024-34459 - High Severity Vulnerability

Vulnerable Library - nokogiri-1.11.7.gem

Nokogiri (鋸) makes it easy and painless to work with XML and HTML from Ruby. It provides a sensible, easy-to-understand API for reading, writing, modifying, and querying documents. It is fast and standards-compliant by relying on native parsers like libxml2 (C) and xerces (Java).

Library home page: https://rubygems.org/gems/nokogiri-1.11.7.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /Gemfile.lock

Dependency Hierarchy: - :x: **nokogiri-1.11.7.gem** (Vulnerable Library)

Found in HEAD commit: 3a3902efe3788aa4f5410d439175653e42f854e6

Found in base branch: main

Vulnerability Details

An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c. Mend Note: This vulnerability does not affect RubyGem's Nokogiri directly, but its dependency libxml2, which is downloaded during Nokogiri's depndency resolution.

Publish Date: 2024-05-13

URL: CVE-2024-34459

CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-r95h-9x8f-r3f7

Release Date: 2024-05-14

Fix Resolution: libxml2-v2.11.8,v2.12.7, nokogiri - 1.16.5


Step up your Open Source Security Game with Mend here