CVE-2024-34459 (High) detected in nokogiri-1.8.2.gem

[mend-bolt-for-github[bot]]

CVE-2024-34459 - High Severity Vulnerability

Vulnerable Library - nokogiri-1.8.2.gem

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.

Library home page: https://rubygems.org/gems/nokogiri-1.8.2.gem

Path to dependency file: /vendor/github.com/hashicorp/vault/website/Gemfile.lock

Path to vulnerable library: /vendor/github.com/hashicorp/vault/website/Gemfile.lock

Dependency Hierarchy: - middleman-hashicorp-0.3.30.gem (Root Library) - middleman-3.4.1.gem - middleman-sprockets-3.5.0.gem - middleman-core-3.4.1.gem - capybara-2.4.4.gem - :x: **nokogiri-1.8.2.gem** (Vulnerable Library)

Found in HEAD commit: 9060713df80212ee5546b36d1083fb607520eb0b

Found in base branch: master

Vulnerability Details

An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c. Mend Note: This vulnerability does not affect RubyGem's Nokogiri directly, but its dependency libxml2, which is downloaded during Nokogiri's depndency resolution.

Publish Date: 2024-05-13

URL: CVE-2024-34459

CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-r95h-9x8f-r3f7

Release Date: 2024-05-14

Fix Resolution: libxml2-v2.11.8,v2.12.7, nokogiri - 1.16.5

---

Step up your Open Source Security Game with Mend here