CVE-2022-29181
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-29181
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-29181.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2022-29181
- Aliases
- Downstream
- Related
- Published
- 2022-05-20T19:15:08Z
- Modified
- 2025-09-19T13:53:03.783248Z
- Severity
-
- 8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
Nokogiri is an open source XML and HTML library for Ruby. Nokogiri prior to version 1.13.6 does not type-check all inputs into the XML and HTML4 SAX parsers, allowing specially crafted untrusted inputs to cause illegal memory access errors (segfault) or reads from unrelated memory. Version 1.13.6 contains a patch for this issue. As a workaround, ensure the untrusted input is a
Stringby calling#to_sor equivalent. - References
-
- https://github.com/sparklemotion/nokogiri/commit/db05ba9a1bd4b90aa6c76742cf6102a7c7297267
- https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.6
- https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xh29-r2w5-wx8m
- https://securitylab.github.com/advisories/GHSL-2022-031_GHSL-2022-032_Nokogiri
- http://seclists.org/fulldisclosure/2022/Dec/23
- https://security.gentoo.org/glsa/202208-29
- https://securitylab.github.com/advisories/GHSL-2022-031_GHSL-2022-032_Nokogiri/
- https://support.apple.com/kb/HT213532
- https://github.com/sparklemotion/nokogiri/commit/83cc451c3f29df397caa890afc3b714eae6ab8f7
Affected packages
Git / github.com/sparklemotion/nokogiri
Affected ranges
- Type
- GIT
- Repo
- https://github.com/sparklemotion/nokogiri
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixedFixed
Affected versions
1.*
1.7.0.1-linux-binary1
REL_1.*
REL_1.0.0
REL_1.0.1
REL_1.0.2
REL_1.0.3
REL_1.0.4
REL_1.0.5
REL_1.0.6
REL_1.0.7
REL_1.1.0
REL_1.1.1
REL_1.2.0
REL_1.2.1
REL_1.2.2
REL_1.2.3
REL_1.3.0
REL_1.3.0rc1
REL_1.3.1
REL_1.3.2
REL_1.3.3
REL_1.4.0
REL_1.4.1
REL_1.4.2
REL_1.4.3
REL_1.4.3.1
REL_1.5.0.beta.1
REL_1.5.0.beta.2
v1.*
v1.10.0
v1.10.0.rc1
v1.10.1
v1.10.2
v1.10.3
v1.11.0
v1.11.0.rc1
v1.11.0.rc2
v1.11.0.rc3
v1.11.0.rc4
v1.11.1
v1.11.2
v1.11.3
v1.12.0
v1.12.0.rc1
v1.12.1
v1.12.2
v1.12.3
v1.13.0
v1.13.1
v1.13.2
v1.13.3
v1.13.4
v1.13.5
v1.4.4
v1.4.4.1
v1.4.4.2
v1.5.0
v1.5.0.beta.3
v1.5.0.beta.4
v1.5.1
v1.5.1.rc1
v1.5.2
v1.5.3
v1.5.3.rc1
v1.5.3.rc3
v1.5.3.rc4
v1.5.3.rc5
v1.5.3.rc6
v1.5.4
v1.5.4.rc1
v1.5.4.rc2
v1.5.4.rc3
v1.5.5
v1.5.5.rc1
v1.5.5.rc2
v1.5.5.rc3
v1.5.6
v1.5.6.rc1
v1.5.6.rc2
v1.5.7
v1.5.7.rc1
v1.5.7.rc2
v1.5.7.rc3
v1.5.8
v1.5.9
v1.6.0
v1.6.0.rc1
v1.6.2
v1.6.2.1
v1.6.2.beta.1
v1.6.2.rc1
v1.6.2.rc2
v1.6.2.rc3
v1.6.3
v1.6.3.1
v1.6.3.rc1
v1.6.3.rc2
v1.6.3.rc3
v1.6.4
v1.6.5
v1.6.6
v1.6.6.1
v1.6.6.2
v1.6.7.rc1
v1.6.7.rc2
v1.6.7.rc3
v1.6.7.rc4
v1.6.8
v1.6.8.rc1
v1.6.8.rc2
v1.6.8.rc3
v1.7.0
v1.7.0.1
v1.8.0
v1.8.1
v1.8.2
v1.8.3
v1.8.4
v1.8.5
v1.9.0
v1.9.0.rc1
v1.9.1
Database specific
{
"vanir_signatures": [
{
"source": "https://github.com/sparklemotion/nokogiri/commit/db05ba9a1bd4b90aa6c76742cf6102a7c7297267",
"deprecated": false,
"target": {
"file": "ext/java/nokogiri/Html4SaxParserContext.java",
"function": "parse_io"
},
"signature_version": "v1",
"digest": {
"length": 311.0,
"function_hash": "339774057150225604830925007899139441664"
},
"signature_type": "Function",
"id": "CVE-2022-29181-08218874"
},
{
"source": "https://github.com/sparklemotion/nokogiri/commit/db05ba9a1bd4b90aa6c76742cf6102a7c7297267",
"deprecated": false,
"target": {
"file": "ext/nokogiri/xml_sax_parser_context.c",
"function": "parse_memory"
},
"signature_version": "v1",
"digest": {
"length": 440.0,
"function_hash": "156700175685575345307480125041260173150"
},
"signature_type": "Function",
"id": "CVE-2022-29181-1630bc76"
},
{
"source": "https://github.com/sparklemotion/nokogiri/commit/83cc451c3f29df397caa890afc3b714eae6ab8f7",
"deprecated": false,
"target": {
"file": "ext/java/nokogiri/Html4SaxParserContext.java",
"function": "parse_io"
},
"signature_version": "v1",
"digest": {
"length": 311.0,
"function_hash": "339774057150225604830925007899139441664"
},
"signature_type": "Function",
"id": "CVE-2022-29181-1e36b4c7"
},
{
"source": "https://github.com/sparklemotion/nokogiri/commit/83cc451c3f29df397caa890afc3b714eae6ab8f7",
"deprecated": false,
"target": {
"file": "ext/nokogiri/xml_sax_parser_context.c"
},
"signature_version": "v1",
"digest": {
"line_hashes": [
"32660667544791835419492192119628462419",
"107509837605578032575666489903065846394",
"82339482050122467544479565850719152695",
"35316597750796945202672617103511275162",
"64023981287457464679046336078146686527",
"70256715334098376590202143321581670244",
"307505881030890224483924028945227594477",
"153908013770662347021857042754056368166",
"69279590166439256109855042886691596332",
"275480722593031554525184112037389671349",
"201906997703988881664001197585905877796",
"285155501316326881376048425303443337705",
"322197686736064847564962717883962289003"
],
"threshold": 0.9
},
"signature_type": "Line",
"id": "CVE-2022-29181-1f19053f"
},
{
"source": "https://github.com/sparklemotion/nokogiri/commit/db05ba9a1bd4b90aa6c76742cf6102a7c7297267",
"deprecated": false,
"target": {
"file": "ext/java/nokogiri/XmlSaxParserContext.java",
"function": "parse_io"
},
"signature_version": "v1",
"digest": {
"length": 251.0,
"function_hash": "212191781225457695491386033688224906340"
},
"signature_type": "Function",
"id": "CVE-2022-29181-22439742"
},
{
"source": "https://github.com/sparklemotion/nokogiri/commit/83cc451c3f29df397caa890afc3b714eae6ab8f7",
"deprecated": false,
"target": {
"file": "ext/nokogiri/xml_sax_parser_context.c",
"function": "noko_init_xml_sax_parser_context"
},
"signature_version": "v1",
"digest": {
"length": 915.0,
"function_hash": "176127679834381012146427679809076348549"
},
"signature_type": "Function",
"id": "CVE-2022-29181-28f6af2a"
},
{
"source": "https://github.com/sparklemotion/nokogiri/commit/db05ba9a1bd4b90aa6c76742cf6102a7c7297267",
"deprecated": false,
"target": {
"file": "ext/nokogiri/xml_sax_parser_context.c",
"function": "noko_init_xml_sax_parser_context"
},
"signature_version": "v1",
"digest": {
"length": 915.0,
"function_hash": "176127679834381012146427679809076348549"
},
"signature_type": "Function",
"id": "CVE-2022-29181-29f6d5f5"
},
{
"source": "https://github.com/sparklemotion/nokogiri/commit/83cc451c3f29df397caa890afc3b714eae6ab8f7",
"deprecated": false,
"target": {
"file": "ext/nokogiri/xml_sax_parser_context.c",
"function": "parse_io"
},
"signature_version": "v1",
"digest": {
"length": 356.0,
"function_hash": "294968138415222748329321953319310436323"
},
"signature_type": "Function",
"id": "CVE-2022-29181-347206fc"
},
{
"source": "https://github.com/sparklemotion/nokogiri/commit/83cc451c3f29df397caa890afc3b714eae6ab8f7",
"deprecated": false,
"target": {
"file": "ext/nokogiri/html4_sax_parser_context.c",
"function": "parse_memory"
},
"signature_version": "v1",
"digest": {
"length": 715.0,
"function_hash": "127238979648815204612396819651147529331"
},
"signature_type": "Function",
"id": "CVE-2022-29181-3ae0d8a8"
},
{
"source": "https://github.com/sparklemotion/nokogiri/commit/db05ba9a1bd4b90aa6c76742cf6102a7c7297267",
"deprecated": false,
"target": {
"file": "ext/java/nokogiri/XmlSaxParserContext.java"
},
"signature_version": "v1",
"digest": {
"line_hashes": [
"301974088387910415895165297468897494853",
"262078244075390359928913097953673686959",
"332161118915953394321811625135653679747",
"37485012236067294588749722995528365636",
"235067727987673492805409627799828865989"
],
"threshold": 0.9
},
"signature_type": "Line",
"id": "CVE-2022-29181-3b25b21e"
},
{
"source": "https://github.com/sparklemotion/nokogiri/commit/83cc451c3f29df397caa890afc3b714eae6ab8f7",
"deprecated": false,
"target": {
"file": "ext/java/nokogiri/Html4SaxParserContext.java",
"function": "parse_file"
},
"signature_version": "v1",
"digest": {
"length": 297.0,
"function_hash": "267902176412199800154903533136942249800"
},
"signature_type": "Function",
"id": "CVE-2022-29181-4e57f768"
},
{
"source": "https://github.com/sparklemotion/nokogiri/commit/db05ba9a1bd4b90aa6c76742cf6102a7c7297267",
"deprecated": false,
"target": {
"file": "ext/java/nokogiri/internals/ParserContext.java"
},
"signature_version": "v1",
"digest": {
"line_hashes": [
"251130477431979476662424461810691582938",
"34541768503110933539975464747105694011",
"272126993558759473010658636557092160129",
"247119134650593912805485105462029812584",
"200848791623806623448935133558450604572",
"269585636492925187769830241646393940632",
"130546992641210218792316502141335517451"
],
"threshold": 0.9
},
"signature_type": "Line",
"id": "CVE-2022-29181-5058400a"
},
{
"source": "https://github.com/sparklemotion/nokogiri/commit/db05ba9a1bd4b90aa6c76742cf6102a7c7297267",
"deprecated": false,
"target": {
"file": "ext/nokogiri/html4_sax_parser_context.c"
},
"signature_version": "v1",
"digest": {
"line_hashes": [
"228948493316227740900978492420613898378",
"297369657864748533146341721710689031079",
"100207569160225581353473082597370343087",
"69279590166439256109855042886691596332",
"275480722593031554525184112037389671349",
"201906997703988881664001197585905877796"
],
"threshold": 0.9
},
"signature_type": "Line",
"id": "CVE-2022-29181-56889168"
},
{
"source": "https://github.com/sparklemotion/nokogiri/commit/83cc451c3f29df397caa890afc3b714eae6ab8f7",
"deprecated": false,
"target": {
"file": "ext/nokogiri/html4_sax_parser_context.c"
},
"signature_version": "v1",
"digest": {
"line_hashes": [
"228948493316227740900978492420613898378",
"297369657864748533146341721710689031079",
"100207569160225581353473082597370343087",
"69279590166439256109855042886691596332",
"275480722593031554525184112037389671349",
"201906997703988881664001197585905877796"
],
"threshold": 0.9
},
"signature_type": "Line",
"id": "CVE-2022-29181-5742102c"
},
{
"source": "https://github.com/sparklemotion/nokogiri/commit/83cc451c3f29df397caa890afc3b714eae6ab8f7",
"deprecated": false,
"target": {
"file": "ext/java/nokogiri/internals/ParserContext.java",
"function": "setIOInputSource"
},
"signature_version": "v1",
"digest": {
"length": 262.0,
"function_hash": "205531008590026051851218986025663118423"
},
"signature_type": "Function",
"id": "CVE-2022-29181-5e3cf5a8"
},
{
"source": "https://github.com/sparklemotion/nokogiri/commit/83cc451c3f29df397caa890afc3b714eae6ab8f7",
"deprecated": false,
"target": {
"file": "ext/java/nokogiri/XmlSaxParserContext.java"
},
"signature_version": "v1",
"digest": {
"line_hashes": [
"301974088387910415895165297468897494853",
"262078244075390359928913097953673686959",
"332161118915953394321811625135653679747",
"37485012236067294588749722995528365636",
"235067727987673492805409627799828865989"
],
"threshold": 0.9
},
"signature_type": "Line",
"id": "CVE-2022-29181-8565521e"
},
{
"source": "https://github.com/sparklemotion/nokogiri/commit/83cc451c3f29df397caa890afc3b714eae6ab8f7",
"deprecated": false,
"target": {
"file": "ext/java/nokogiri/Html4SaxParserContext.java"
},
"signature_version": "v1",
"digest": {
"line_hashes": [
"331368784099517581934682078160424571708",
"102024338053281508170680113564003959162",
"339844541191640777103824805018317601737",
"201412992390040745034561854691694232729",
"331368784099517581934682078160424571708",
"102024338053281508170680113564003959162",
"33723629034192463124448976271557698700",
"279827863847969284732147331499160204438"
],
"threshold": 0.9
},
"signature_type": "Line",
"id": "CVE-2022-29181-91597b4f"
},
{
"source": "https://github.com/sparklemotion/nokogiri/commit/83cc451c3f29df397caa890afc3b714eae6ab8f7",
"deprecated": false,
"target": {
"file": "ext/nokogiri/xml_sax_parser_context.c",
"function": "parse_memory"
},
"signature_version": "v1",
"digest": {
"length": 440.0,
"function_hash": "156700175685575345307480125041260173150"
},
"signature_type": "Function",
"id": "CVE-2022-29181-a4320415"
},
{
"source": "https://github.com/sparklemotion/nokogiri/commit/db05ba9a1bd4b90aa6c76742cf6102a7c7297267",
"deprecated": false,
"target": {
"file": "ext/nokogiri/xml_sax_parser_context.c",
"function": "parse_io"
},
"signature_version": "v1",
"digest": {
"length": 356.0,
"function_hash": "294968138415222748329321953319310436323"
},
"signature_type": "Function",
"id": "CVE-2022-29181-adbe964b"
},
{
"source": "https://github.com/sparklemotion/nokogiri/commit/db05ba9a1bd4b90aa6c76742cf6102a7c7297267",
"deprecated": false,
"target": {
"file": "ext/nokogiri/html4_sax_parser_context.c",
"function": "parse_memory"
},
"signature_version": "v1",
"digest": {
"length": 715.0,
"function_hash": "127238979648815204612396819651147529331"
},
"signature_type": "Function",
"id": "CVE-2022-29181-b0040838"
},
{
"source": "https://github.com/sparklemotion/nokogiri/commit/db05ba9a1bd4b90aa6c76742cf6102a7c7297267",
"deprecated": false,
"target": {
"file": "ext/java/nokogiri/Html4SaxParserContext.java"
},
"signature_version": "v1",
"digest": {
"line_hashes": [
"331368784099517581934682078160424571708",
"102024338053281508170680113564003959162",
"339844541191640777103824805018317601737",
"201412992390040745034561854691694232729",
"331368784099517581934682078160424571708",
"102024338053281508170680113564003959162",
"33723629034192463124448976271557698700",
"279827863847969284732147331499160204438"
],
"threshold": 0.9
},
"signature_type": "Line",
"id": "CVE-2022-29181-b22c5a79"
},
{
"source": "https://github.com/sparklemotion/nokogiri/commit/83cc451c3f29df397caa890afc3b714eae6ab8f7",
"deprecated": false,
"target": {
"file": "ext/java/nokogiri/internals/ParserContext.java"
},
"signature_version": "v1",
"digest": {
"line_hashes": [
"251130477431979476662424461810691582938",
"34541768503110933539975464747105694011",
"272126993558759473010658636557092160129",
"247119134650593912805485105462029812584",
"200848791623806623448935133558450604572",
"269585636492925187769830241646393940632",
"130546992641210218792316502141335517451"
],
"threshold": 0.9
},
"signature_type": "Line",
"id": "CVE-2022-29181-b3184692"
},
{
"source": "https://github.com/sparklemotion/nokogiri/commit/db05ba9a1bd4b90aa6c76742cf6102a7c7297267",
"deprecated": false,
"target": {
"file": "ext/java/nokogiri/Html4SaxParserContext.java",
"function": "parse_file"
},
"signature_version": "v1",
"digest": {
"length": 297.0,
"function_hash": "267902176412199800154903533136942249800"
},
"signature_type": "Function",
"id": "CVE-2022-29181-b9900a3e"
},
{
"source": "https://github.com/sparklemotion/nokogiri/commit/db05ba9a1bd4b90aa6c76742cf6102a7c7297267",
"deprecated": false,
"target": {
"file": "ext/java/nokogiri/internals/ParserContext.java",
"function": "setIOInputSource"
},
"signature_version": "v1",
"digest": {
"length": 262.0,
"function_hash": "205531008590026051851218986025663118423"
},
"signature_type": "Function",
"id": "CVE-2022-29181-d37b0a02"
},
{
"source": "https://github.com/sparklemotion/nokogiri/commit/83cc451c3f29df397caa890afc3b714eae6ab8f7",
"deprecated": false,
"target": {
"file": "ext/java/nokogiri/XmlSaxParserContext.java",
"function": "parse_io"
},
"signature_version": "v1",
"digest": {
"length": 251.0,
"function_hash": "212191781225457695491386033688224906340"
},
"signature_type": "Function",
"id": "CVE-2022-29181-dcda49d2"
},
{
"source": "https://github.com/sparklemotion/nokogiri/commit/db05ba9a1bd4b90aa6c76742cf6102a7c7297267",
"deprecated": false,
"target": {
"file": "ext/nokogiri/xml_sax_parser_context.c"
},
"signature_version": "v1",
"digest": {
"line_hashes": [
"32660667544791835419492192119628462419",
"107509837605578032575666489903065846394",
"82339482050122467544479565850719152695",
"35316597750796945202672617103511275162",
"64023981287457464679046336078146686527",
"70256715334098376590202143321581670244",
"307505881030890224483924028945227594477",
"153908013770662347021857042754056368166",
"69279590166439256109855042886691596332",
"275480722593031554525184112037389671349",
"201906997703988881664001197585905877796",
"285155501316326881376048425303443337705",
"322197686736064847564962717883962289003"
],
"threshold": 0.9
},
"signature_type": "Line",
"id": "CVE-2022-29181-e7a9b689"
}
]
}