GitHub_MCVELIST:CVE-2022-29181CVE-2022-29181 Improper Handling of Unexpected Data Type in Nokogiri
8.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
8.2 High
AI Score
Confidence
High
0.003 Low
EPSS
Percentile
68.8%
Nokogiri is an open source XML and HTML library for Ruby. Nokogiri prior to version 1.13.6 does not type-check all inputs into the XML and HTML4 SAX parsers, allowing specially crafted untrusted inputs to cause illegal memory access errors (segfault) or reads from unrelated memory. Version 1.13.6 contains a patch for this issue. As a workaround, ensure the untrusted input is a String by calling #to_s or equivalent.
CNA Affected
[
{
"vendor": "sparklemotion",
"product": "nokogiri",
"versions": [
{
"version": "< 1.13.6",
"status": "affected"
}
]
}
]References
seclists.org/fulldisclosure/2022/Dec/23
github.com/sparklemotion/nokogiri/commit/db05ba9a1bd4b90aa6c76742cf6102a7c7297267
github.com/sparklemotion/nokogiri/releases/tag/v1.13.6
github.com/sparklemotion/nokogiri/security/advisories/GHSA-xh29-r2w5-wx8m
security.gentoo.org/glsa/202208-29
securitylab.github.com/advisories/GHSL-2022-031_GHSL-2022-032_Nokogiri/
support.apple.com/kb/HT213532
Related
8.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
8.2 High
AI Score
Confidence
High
0.003 Low
EPSS
Percentile
68.8%