Lucene search

GitHub Advisory DatabaseGHSA-JC36-42CF-VQWJ

HistoryMar 26, 2022 - 12:00 a.m.

Nokogiri affected by zlib's Out-of-bounds Write vulnerability

2022-03-2600:00:33

CWE-787

GitHub Advisory Database

github.com

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.003 Low

EPSS

Percentile

67.9%

JSON

zlib 1.2.11 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.

CPENameOperatorVersion
nokogirilt1.13.4

CPE	Name	Operator	Version
	nokogiri	lt	1.13.4

References

seclists.org/fulldisclosure/2022/May/33

seclists.org/fulldisclosure/2022/May/35

seclists.org/fulldisclosure/2022/May/38

www.openwall.com/lists/oss-security/2022/03/25/2

www.openwall.com/lists/oss-security/2022/03/26/1

cert-portal.siemens.com/productcert/pdf/ssa-333517.pdf

github.com/advisories/GHSA-jc36-42cf-vqwj

github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531

github.com/madler/zlib/compare/v1.2.11...v1.2.12

github.com/madler/zlib/issues/605

github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2018-25032.yml

github.com/sparklemotion/nokogiri/security/advisories/GHSA-v6gp-9mmm-c6p5

lists.debian.org/debian-lts-announce/2022/04/msg00000.html

lists.debian.org/debian-lts-announce/2022/05/msg00008.html

lists.debian.org/debian-lts-announce/2022/09/msg00023.html

lists.fedoraproject.org/archives/list/[email protected]/message/DCZFIJBJTZ7CL5QXBFKTQ22Q26VINRUF/

lists.fedoraproject.org/archives/list/[email protected]/message/DF62MVMH3QUGMBDCB3DY2ERQ6EBHTADB/

lists.fedoraproject.org/archives/list/[email protected]/message/JZZPTWRYQULAOL3AW7RZJNVZ2UONXCV4/

lists.fedoraproject.org/archives/list/[email protected]/message/NS2D2GFPFGOJUL4WQ3DUAY7HF4VWQ77F/

lists.fedoraproject.org/archives/list/[email protected]/message/VOKNP2L734AEL47NRYGVZIKEFOUBQY5Y/

lists.fedoraproject.org/archives/list/[email protected]/message/XOKFMSNQ5D5WGMALBNBXU3GE442V74WU/

nvd.nist.gov/vuln/detail/CVE-2018-25032

security.gentoo.org/glsa/202210-42

security.netapp.com/advisory/ntap-20220526-0009/

security.netapp.com/advisory/ntap-20220729-0004/

support.apple.com/kb/HT213255

support.apple.com/kb/HT213256

support.apple.com/kb/HT213257

www.debian.org/security/2022/dsa-5111

www.openwall.com/lists/oss-security/2022/03/24/1

www.openwall.com/lists/oss-security/2022/03/28/1

www.openwall.com/lists/oss-security/2022/03/28/3

www.oracle.com/security-alerts/cpujul2022.html

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.003 Low

EPSS

Percentile

67.9%

JSON

Nokogiri affected by zlib's Out-of-bounds Write vulnerability

References

Related