Debian 'ruby-nokogiri' package(s) update (DLA-3149-1) addresses command injection, XXE, and DoS vulnerabilities
Reporter | Title | Published | Views | Family All 116 |
---|---|---|---|---|
Debian | [SECURITY] [DLA 3149-1] ruby-nokogiri security update | 12 Oct 202214:46 | – | debian |
Debian | [SECURITY] [DLA 2678-1] ruby-nokogiri security update | 6 Jun 202119:00 | – | debian |
Debian | [SECURITY] [DLA 3003-1] ruby-nokogiri security update | 13 May 202217:29 | – | debian |
Debian | [SECURITY] [DLA 3150-1] rexical security update | 12 Oct 202214:46 | – | debian |
Debian | [SECURITY] [DLA 1933-1] ruby-nokogiri security update | 26 Sep 201901:54 | – | debian |
Tenable Nessus | Debian DLA-3149-1 : ruby-nokogiri - LTS security update | 12 Oct 202200:00 | – | nessus |
Tenable Nessus | openSUSE Security Update : rubygem-nokogiri (openSUSE-2021-237) | 8 Feb 202100:00 | – | nessus |
Tenable Nessus | Photon OS 2.0: Rubygem PHSA-2021-2.0-0413 | 15 Nov 202100:00 | – | nessus |
Tenable Nessus | GLSA-202208-29 : Nokogiri: Multiple Vulnerabilities | 15 Aug 202200:00 | – | nessus |
Tenable Nessus | FreeBSD : nokogiri -- Security vulnerability (13c54e6d-5c45-11eb-b4e2-001b217b3468) | 22 Jan 202100:00 | – | nessus |
Source | Link |
---|---|
security-tracker | www.security-tracker.debian.org/tracker/ruby-nokogiri |
wiki | www.wiki.debian.org/LTS |
debian | www.debian.org/lts/security/2022/DLA-3149-1 |
# SPDX-FileCopyrightText: 2022 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.893149");
script_cve_id("CVE-2019-5477", "CVE-2020-26247", "CVE-2022-24836");
script_tag(name:"creation_date", value:"2022-10-13 01:00:10 +0000 (Thu, 13 Oct 2022)");
script_version("2024-02-02T05:06:08+0000");
script_tag(name:"last_modification", value:"2024-02-02 05:06:08 +0000 (Fri, 02 Feb 2024)");
script_tag(name:"cvss_base", value:"7.5");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_tag(name:"severity_vector", value:"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_tag(name:"severity_origin", value:"NVD");
script_tag(name:"severity_date", value:"2019-08-29 15:05:36 +0000 (Thu, 29 Aug 2019)");
script_name("Debian: Security Advisory (DLA-3149-1)");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (C) 2022 Greenbone AG");
script_family("Debian Local Security Checks");
script_dependencies("gather-package-list.nasl");
script_mandatory_keys("ssh/login/debian_linux", "ssh/login/packages", re:"ssh/login/release=DEB10");
script_xref(name:"Advisory-ID", value:"DLA-3149-1");
script_xref(name:"URL", value:"https://www.debian.org/lts/security/2022/DLA-3149-1");
script_xref(name:"URL", value:"https://security-tracker.debian.org/tracker/ruby-nokogiri");
script_xref(name:"URL", value:"https://wiki.debian.org/LTS");
script_tag(name:"summary", value:"The remote host is missing an update for the Debian 'ruby-nokogiri' package(s) announced via the DLA-3149-1 advisory.");
script_tag(name:"vuldetect", value:"Checks if a vulnerable package version is present on the target host.");
script_tag(name:"insight", value:"Multiple vulnerabilities were discovered in Nokogiri, an HTML/XML/SAX/Reader parser for the Ruby programming language, leading to command injection, XML external entity injection (XXE), and denial-of-service (DoS).
CVE-2019-5477
A command injection vulnerability allows commands to be executed in a subprocess via Ruby's `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being called with unsafe user input as the filename. This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries.
CVE-2020-26247
XXE vulnerability: XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible.
CVE-2022-24836
Nokogiri contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents.
For Debian 10 buster, these problems have been fixed in version 1.10.0+dfsg1-2+deb10u1.
We recommend that you upgrade your ruby-nokogiri packages.
For the detailed security status of ruby-nokogiri please refer to its security tracker page at: [link moved to references]
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: [link moved to references]");
script_tag(name:"affected", value:"'ruby-nokogiri' package(s) on Debian 10.");
script_tag(name:"solution", value:"Please install the updated package(s).");
script_tag(name:"solution_type", value:"VendorFix");
script_tag(name:"qod_type", value:"package");
exit(0);
}
include("revisions-lib.inc");
include("pkg-lib-deb.inc");
release = dpkg_get_ssh_release();
if(!release)
exit(0);
res = "";
report = "";
if(release == "DEB10") {
if(!isnull(res = isdpkgvuln(pkg:"ruby-nokogiri", ver:"1.10.0+dfsg1-2+deb10u1", rls:"DEB10"))) {
report += res;
}
if(report != "") {
security_message(data:report);
} else if(__pkg_match) {
exit(99);
}
exit(0);
}
exit(0);
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo