search

Seagate / cortx-s3server

CORTX S3 compatible storage server for CORTX
https://github.com/Seagate/cortx
Apache License 2.0
37 stars 87 forks source link

CVE-2019-5477 (High) detected in nokogiri-1.6.6.2.gem #526

Closed mend-bolt-for-github[bot] closed 3 years ago

mend-bolt-for-github[bot] commented 3 years ago

CVE-2019-5477 - High Severity Vulnerability

Vulnerable Library - nokogiri-1.6.6.2.gem

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors. XML is like violence - if it doesn’t solve your problems, you are not using enough of it.

Library home page: https://rubygems.org/gems/nokogiri-1.6.6.2.gem

Dependency Hierarchy: - :x: **nokogiri-1.6.6.2.gem** (Vulnerable Library)

Found in HEAD commit: fde64200b4f94603ae17220b98da6422a531445e

Found in base branch: main

Vulnerability Details

A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby's `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being called with unsafe user input as the filename. This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.

Publish Date: 2019-08-16

URL: CVE-2019-5477

CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/rubysec/ruby-advisory-db/commit/ddeb4ee1d9dce4feaaa1924bc150dc8062426758

Release Date: 2019-01-04

Fix Resolution: nokogiri-v1.10.4, rexical-v1.0.7

Step up your Open Source Security Game with WhiteSource here

stale[bot] commented 3 years ago

This issue/pull request has been marked as needs attention as it has been left pending without new activity for 4 days. Tagging @shalakadharap @amitwac2608 @nileshgovande for appropriate assignment. Sorry for the delay & Thank you for contributing to CORTX. We will get back to you as soon as possible.