search

HaloSPV3 / halospv3.github.io

TODO: make 'er pretty
https://halospv3.github.io/
The Unlicense
0 stars 0 forks source link

nokogiri-1.13.9-x86_64-linux.gem: 1 vulnerabilities (highest severity is: 7.5) - autoclosed #11

Closed mend-bolt-for-github[bot] closed 1 year ago

mend-bolt-for-github[bot] commented 1 year ago
Vulnerable Library - nokogiri-1.13.9-x86_64-linux.gem

Nokogiri (鋸) makes it easy and painless to work with XML and HTML from Ruby. It provides a sensible, easy-to-understand API for reading, writing, modifying, and querying documents. It is fast and standards-compliant by relying on native parsers like libxml2 (C) and xerces (Java).

Library home page: https://rubygems.org/gems/nokogiri-1.13.9-x86_64-linux.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /vendor/bundle/ruby/2.7.0/cache/nokogiri-1.13.9-x86_64-linux.gem,/home/wss-scanner/.gem/ruby/2.7.0/cache/nokogiri-1.13.9-x86_64-linux.gem

Found in HEAD commit: 8b41f7ce8d6c07e29a42e0ea31df76af3689cdc0

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (nokogiri version) Remediation Available
CVE-2022-23476 High 7.5 nokogiri-1.13.9-x86_64-linux.gem Direct nokogiri - 1.13.10

Details

CVE-2022-23476 ### Vulnerable Library - nokogiri-1.13.9-x86_64-linux.gem

Nokogiri (鋸) makes it easy and painless to work with XML and HTML from Ruby. It provides a sensible, easy-to-understand API for reading, writing, modifying, and querying documents. It is fast and standards-compliant by relying on native parsers like libxml2 (C) and xerces (Java).

Library home page: https://rubygems.org/gems/nokogiri-1.13.9-x86_64-linux.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /vendor/bundle/ruby/2.7.0/cache/nokogiri-1.13.9-x86_64-linux.gem,/home/wss-scanner/.gem/ruby/2.7.0/cache/nokogiri-1.13.9-x86_64-linux.gem

Dependency Hierarchy: - :x: **nokogiri-1.13.9-x86_64-linux.gem** (Vulnerable Library)

Found in HEAD commit: 8b41f7ce8d6c07e29a42e0ea31df76af3689cdc0

Found in base branch: main

### Vulnerability Details

Nokogiri is an open source XML and HTML library for the Ruby programming language. Nokogiri `1.13.8` and `1.13.9` fail to check the return value from `xmlTextReaderExpand` in the method `Nokogiri::XML::Reader#attribute_hash`. This can lead to a null pointer exception when invalid markup is being parsed. For applications using `XML::Reader` to parse untrusted inputs, this may potentially be a vector for a denial of service attack. Users are advised to upgrade to Nokogiri `>= 1.13.10`. Users may be able to search their code for calls to either `XML::Reader#attributes` or `XML::Reader#attribute_hash` to determine if they are affected.

Publish Date: 2022-12-08

URL: CVE-2022-23476

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2022-12-08

Fix Resolution: nokogiri - 1.13.10

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
mend-bolt-for-github[bot] commented 1 year ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.