GHSA-qv4q-mr5r-qprj

Suggest an improvement
Source
https://github.com/advisories/GHSA-qv4q-mr5r-qprj
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-qv4q-mr5r-qprj/GHSA-qv4q-mr5r-qprj.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-qv4q-mr5r-qprj
Aliases
Published
2022-12-08T03:03:33Z
Modified
2023-11-01T04:57:51.927896Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Unchecked return value from xmlTextReaderExpand
Details

Summary

Nokogiri 1.13.8, 1.13.9 fails to check the return value from xmlTextReaderExpand in the method Nokogiri::XML::Reader#attribute_hash. This can lead to a null pointer exception when invalid markup is being parsed.

For applications using XML::Reader to parse untrusted inputs, this may potentially be a vector for a denial of service attack.

Mitigation

Upgrade to Nokogiri >= 1.13.10.

Users may be able to search their code for calls to either XML::Reader#attributes or XML::Reader#attribute_hash to determine if they are affected.

Severity

The Nokogiri maintainers have evaluated this as High Severity 7.5 (CVSS3.1).

References

Credit

This vulnerability was responsibly reported by @davidwilemski.

Database specific
{
    "nvd_published_at": "2022-12-08T04:15:00Z",
    "github_reviewed_at": "2022-12-08T03:03:33Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-252",
        "CWE-476"
    ]
}
References

Affected packages

RubyGems / nokogiri

Package

Name
nokogiri
Purl
pkg:gem/nokogiri

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.13.8
Fixed
1.13.10

Affected versions

1.*

1.13.8
1.13.9