Nokogiri v1.13.4 updates the vendored xerces:xercesImpl
from 2.12.0 to 2.12.2, which addresses CVE-2022-23437. That CVE is scored as CVSS 6.5 “Medium” on the NVD record.
Please note that this advisory only applies to the JRuby implementation of Nokogiri < 1.13.4
.
Upgrade to Nokogiri >= v1.13.4
.
github.com/advisories/GHSA-h65f-jvqw-m9fj
github.com/advisories/GHSA-xxx9-3xcr-gjj3
github.com/sparklemotion/nokogiri/releases/tag/v1.13.4
github.com/sparklemotion/nokogiri/security/advisories/GHSA-xxx9-3xcr-gjj3
groups.google.com/g/ruby-security-ann/c/vX7qSjsvWis/m/TJWN4oOKBwAJ?utm_medium=email&utm_source=footer
nvd.nist.gov/vuln/detail/CVE-2022-23437