Lucene search

K

Debian DLA-3149-1 : ruby-nokogiri - LTS security update

The Debian 10 host is affected by multiple vulnerabilities in the ruby-nokogiri package, including command injection, XXE, and inefficient regular expression issues

Show more
Related
Refs
Code
ReporterTitlePublishedViews
Family
OSV
ruby-nokogiri - security update
12 Oct 202200:00
osv
OSV
Nokogiri::XML::Schema trusts input by default, exposing risk of XXE vulnerability
30 Dec 202018:35
osv
OSV
CVE-2020-26247
30 Dec 202019:15
osv
OSV
ruby-nokogiri - security update
6 Jun 202100:00
osv
OSV
ruby-nokogiri - security update
3 Sep 202400:00
osv
OSV
Nokogiri Inefficient Regular Expression Complexity
11 Apr 202221:18
osv
OSV
CVE-2022-24836
11 Apr 202222:15
osv
OSV
ruby-nokogiri - security update
13 May 202200:00
osv
OSV
Nokogiri Command Injection Vulnerability
19 Aug 201919:27
osv
OSV
ruby-nokogiri - security update
26 Sep 201900:00
osv
Rows per page
#%NASL_MIN_LEVEL 80900
#
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory dla-3149. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#

include('compat.inc');

if (description)
{
  script_id(166069);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/10/12");

  script_cve_id("CVE-2019-5477", "CVE-2020-26247", "CVE-2022-24836");

  script_name(english:"Debian DLA-3149-1 : ruby-nokogiri - LTS security update");

  script_set_attribute(attribute:"synopsis", value:
"The remote Debian host is missing one or more security-related updates.");
  script_set_attribute(attribute:"description", value:
"The remote Debian 10 host has a package installed that is affected by multiple vulnerabilities as referenced in the
dla-3149 advisory.

  - A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a
    subprocess via Ruby's `Kernel.open` method. Processes are vulnerable only if the undocumented method
    `Nokogiri::CSS::Tokenizer#load_file` is being called with unsafe user input as the filename. This
    vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by
    Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was
    addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.
    (CVE-2019-5477)

  - Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In
    Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by
    Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network,
    potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by
    Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible. This is fixed
    in Nokogiri version 1.11.0.rc4. (CVE-2020-26247)

  - Nokogiri is an open source XML and HTML library for Ruby. Nokogiri `< v1.13.4` contains an inefficient
    regular expression that is susceptible to excessive backtracking when attempting to detect encoding in
    HTML documents. Users are advised to upgrade to Nokogiri `>= 1.13.4`. There are no known workarounds for
    this issue. (CVE-2022-24836)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934802");
  # https://security-tracker.debian.org/tracker/source-package/ruby-nokogiri
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a4325c6e");
  script_set_attribute(attribute:"see_also", value:"https://www.debian.org/lts/security/2022/dla-3149");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2019-5477");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2020-26247");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-24836");
  script_set_attribute(attribute:"see_also", value:"https://packages.debian.org/source/buster/ruby-nokogiri");
  script_set_attribute(attribute:"solution", value:
"Upgrade the ruby-nokogiri packages.

For Debian 10 buster, these problems have been fixed in version 1.10.0+dfsg1-2+deb10u1.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-5477");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/08/16");
  script_set_attribute(attribute:"patch_publication_date", value:"2022/10/12");
  script_set_attribute(attribute:"plugin_publication_date", value:"2022/10/12");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:ruby-nokogiri");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:10.0");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Debian Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}

include('debian_package.inc');

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);

var release = get_kb_item('Host/Debian/release');
if ( isnull(release) ) audit(AUDIT_OS_NOT, 'Debian');
var release = chomp(release);
if (! preg(pattern:"^(10)\.[0-9]+", string:release)) audit(AUDIT_OS_NOT, 'Debian 10.0', 'Debian ' + release);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Debian', cpu);

var pkgs = [
    {'release': '10.0', 'prefix': 'ruby-nokogiri', 'reference': '1.10.0+dfsg1-2+deb10u1'}
];

var flag = 0;
foreach package_array ( pkgs ) {
  var release = NULL;
  var prefix = NULL;
  var reference = NULL;
  if (!empty_or_null(package_array['release'])) release = package_array['release'];
  if (!empty_or_null(package_array['prefix'])) prefix = package_array['prefix'];
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (release && prefix && reference) {
    if (deb_check(release:release, prefix:prefix, reference:reference)) flag++;
  }
}

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : deb_report_get()
  );
  exit(0);
}
else
{
  var tested = deb_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'ruby-nokogiri');
}

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
12 Oct 2022 00:00Current
7.9High risk
Vulners AI Score7.9
CVSS39.8
EPSS0.025
22
.json
Report