Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
rubygemsRubySecRUBY:NOKOGIRI-2021-30560
HistoryFeb 20, 2022 - 9:00 p.m.

Update packaged libxml2 (2.9.12 β†’ 2.9.13) and libxslt (1.1.34 β†’ 1.1.35)

2022-02-2021:00:00
RubySec
rubysec.com
335
JSON

Summary

Nokogiri v1.13.2 upgrades two of its packaged dependencies:

  • vendored libxml2 from v2.9.12 to v2.9.13
  • vendored libxslt from v1.1.34 to v1.1.35

Those library versions address the following upstream CVEs:

  • libxslt: CVE-2021-30560 (CVSS 8.8, High severity)
  • libxml2: CVE-2022-23308 (Unspecified severity, see more information below)

Those library versions also address numerous other issues including performance
improvements, regression fixes, and bug fixes, as well as memory leaks and other
use-after-free issues that were not assigned CVEs.

Please note that this advisory only applies to the CRuby implementation of
Nokogiri < 1.13.2, and only if the packaged libraries are being used. If you’ve
overridden defaults at installation time to use system libraries instead of
packaged libraries, you should instead pay attention to your distro’s libxml2
and libxslt release announcements.

Mitigation

Upgrade to Nokogiri >= 1.13.2.

Users who are unable to upgrade Nokogiri may also choose a more complicated
mitigation: compile and link an older version Nokogiri against external libraries
libxml2 >= 2.9.13 and libxslt >= 1.1.35, which will also address these same CVEs.

Impact

  • libxslt CVE-2021-30560
  • CVSS3 score: 8.8 (High)

Fixed by https://gitlab.gnome.org/GNOME/libxslt/-/commit/50f9c9c

All versions of libxslt prior to v1.1.35 are affected.

Applications using untrusted XSL stylesheets to transform XML are vulnerable to
a denial-of-service attack and should be upgraded immediately.

libxml2 CVE-2022-23308

The upstream commit and the explanation linked above indicate that an application
may be vulnerable to a denial of service, memory disclosure, or code execution if
it parses an untrusted document with parse options DTDVALID set to true, and NOENT
set to false.

An analysis of these parse options:

  • While NOENT is off by default for Document, DocumentFragment, Reader, and
    Schema parsing, it is on by default for XSLT (stylesheet) parsing in Nokogiri
    v1.12.0 and later.
  • DTDVALID is an option that Nokogiri does not set for any operations, and so
    this CVE applies only to applications setting this option explicitly.

It seems reasonable to assume that any application explicitly setting the parse
option DTDVALID when parsing untrusted documents is vulnerable and should be
upgraded immediately.

CPENameOperatorVersion
nokogirilt1.13.2

Related

github 2
osv 13
nessus 75
veracode 2
photon 11
slackware 2
cnvd 2
gentoo 3
ubuntucve 2
alpinelinux 2
cbl_mariner 4
mageia 2
cve 2
mscve 1
prion 2
f5 1
oraclelinux 1
fedora 5
debiancve 2
debian 3
cloudfoundry 3
almalinux 1
redhatcve 1
redos 1
ubuntu 4
suse 8
cloudlinux 1
rocky 1
redhat 12
amazon 2
ibm 8
altlinux 1
rosalinux 1
archlinux 3
kaspersky 1
chrome 1
freebsd 1
ics 2
apple 6
tenable 1
oracle 3
github
github
Vulnerable dependencies in Nokogiri
2022-02-25 20:32:09
Nokogiri has vulnerable dependencies on libxml2 and libxslt
2022-05-24 19:09:47
osv
osv
Vulnerable dependencies in Nokogiri
2022-02-25 20:32:09
libxslt - security update
2022-08-24 00:00:00
CVE-2021-30560
2021-08-03 19:15:08
nessus
nessus
SUSE SLES12 Security Update : libxslt (SUSE-SU-2023:0556-1)
2023-03-01 00:00:00
Slackware Linux 14.0 / 14.1 / 14.2 / 15.0 / current libxslt Vulnerability (SSA:2022-059-02)
2022-03-01 00:00:00
EulerOS Virtualization 2.10.0 : libxslt (EulerOS-SA-2022-2876)
2022-12-27 00:00:00
veracode
veracode
Arbitrary Code Execution
2021-07-16 17:48:19
Use After Free
2022-02-28 13:21:21
photon
photon
Important Photon OS Security Update - PHSA-2022-0398
2022-05-30 00:00:00
Important Photon OS Security Update - PHSA-2022-0485
2022-06-17 00:00:00
Important Photon OS Security Update - PHSA-2022-3.0-0398
2022-05-30 00:00:00
slackware
slackware
[slackware-security] libxslt
2022-03-01 05:14:54
[slackware-security] libxml2
2022-03-01 05:14:36
cnvd
cnvd
Google Chrome Resource Management Error Vulnerability (CNVD-2021-68462)
2021-07-16 00:00:00
libxml2 Resource Management Error Vulnerability (CNVD-2022-21487)
2022-02-23 00:00:00
gentoo
gentoo
libxslt: Multiple Vulnerabilities
2023-10-31 00:00:00
libxml2: Multiple Vulnerabilities
2022-10-16 00:00:00
Chromium, Google Chrome: Multiple vulnerabilities
2021-07-22 00:00:00
ubuntucve
ubuntucve
CVE-2021-30560
2021-08-03 00:00:00
CVE-2022-23308
2022-02-26 00:00:00
alpinelinux
alpinelinux
CVE-2021-30560
2021-08-03 19:15:00
CVE-2022-23308
2022-02-26 05:15:00
cbl_mariner
cbl_mariner
CVE-2021-30560 affecting package libxslt 1.1.34-6
2022-06-03 17:54:00
CVE-2022-23308 affecting package libxml2 2.9.12-1
2022-03-19 16:40:53
CVE-2021-30560 affecting package libxslt 1.1.34-2
2022-06-15 17:03:07
mageia
mageia
Updated libxslt packages fix security vulnerability
2022-09-21 21:15:27
Updated libxml2 packages fix security vulnerability
2022-03-06 13:40:17
cve
cve
CVE-2021-30560
2021-08-03 19:15:00
CVE-2022-23308
2022-02-26 05:15:00
mscve
mscve
Chromium: CVE-2021-30560 Use after free in Blink XSLT
2021-07-19 07:00:00
prion
prion
Design/Logic Flaw
2022-02-26 05:15:00
Design/Logic Flaw
2021-08-03 19:15:00
f5
f5
K32760744 : libxml2 vulnerability CVE-2022-23308
2022-05-25 00:00:00
oraclelinux
oraclelinux
libxml2 security update
2022-03-16 00:00:00
fedora
fedora
[SECURITY] Fedora 35 Update: libxml2-2.9.13-1.fc35
2022-02-24 23:09:27
[SECURITY] Fedora 34 Update: libxml2-2.9.13-1.fc34
2022-03-08 21:33:04
[SECURITY] Fedora 33 Update: chromium-91.0.4472.164-1.fc33
2021-07-26 01:02:49
debiancve
debiancve
CVE-2022-23308
2022-02-26 05:15:00
CVE-2021-30560
2021-08-03 19:15:00
debian
debian
[SECURITY] [DSA 5216-1] libxslt security update
2022-08-24 15:04:29
[SECURITY] [DLA 3101-1] libxslt security update
2022-09-09 13:08:41
[SECURITY] [DLA 2972-1] libxml2 security update
2022-04-08 21:17:02
cloudfoundry
cloudfoundry
USN-5324-1: libxml2 vulnerability | Cloud Foundry
2022-05-23 00:00:00
USN-5575-1: Libxslt vulnerabilities | Cloud Foundry
2022-09-29 00:00:00
USN-5422-1: libxml2 vulnerabilities | Cloud Foundry
2022-07-29 00:00:00
almalinux
almalinux
Moderate: libxml2 security update
2022-03-15 09:12:39
redhatcve
redhatcve
CVE-2022-23308
2022-02-22 11:31:34
redos
redos
ROS-20220315-01
2022-03-15 00:00:00
ubuntu
ubuntu
libxml2 vulnerability
2022-03-14 00:00:00
Libxslt vulnerabilities
2022-08-22 00:00:00
Libxslt vulnerabilities
2022-08-22 00:00:00
suse
suse
Security update for python-libxml2-python (important)
2022-03-10 00:00:00
Security update for libxml2 (important)
2022-07-26 00:00:00
Security update for libxml2 (important)
2022-05-19 00:00:00
cloudlinux
cloudlinux
Fix of CVE: CVE-2022-23308
2022-03-14 11:04:40
rocky
rocky
libxml2 security update
2022-03-15 09:12:39
redhat
redhat
(RHSA-2022:0899) Moderate: libxml2 security update
2022-03-15 09:12:39
(RHSA-2022:1390) Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP11 security update
2022-04-20 19:26:37
(RHSA-2022:1389) Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP11 security update
2022-04-20 19:26:07
amazon
amazon
Medium: libxml2
2022-07-19 01:21:00
Medium: libxml2
2023-04-27 16:19:00
ibm
ibm
Security Bulletin: Multiple security vulnerabilities fixed in IBM Security Verify Access Appliance (CVE-2022-23308, CVE-2021-23840, CVE-2021-23841, CVE-2021-3712)
2022-07-06 18:26:46
Security Bulletin: IBM InfoSphere Identity Insight vulnerabilities in third party libraries (CVE-2021-39239, CVE-2022-23308, CVE-2021-29424, CVE-2020-15250, 177835)
2022-08-16 19:40:01
Security Bulletin: Mutiple Vulnerabilties Affecting Watson Machine Learning Accelerator on Cloud Pak for Data version
2023-11-13 15:22:22
altlinux
altlinux
Security fix for the ALT Linux 10 package libxml2 version 1:2.9.12-alt1.p10.1
2023-02-02 00:00:00
rosalinux
rosalinux
Advisory ROSA-SA-2024-2356
2024-02-20 10:05:34
archlinux
archlinux
[ASA-202107-31] vivaldi: arbitrary code execution
2021-07-16 00:00:00
[ASA-202107-30] chromium: arbitrary code execution
2021-07-16 00:00:00
[ASA-202107-46] opera: arbitrary code execution
2021-07-21 00:00:00
kaspersky
kaspersky
KLA12235 Multiple vulnerabilities in Microsoft Browser
2021-07-19 00:00:00
chrome
chrome
Stable Channel Update for Desktop
2021-07-15 00:00:00
freebsd
freebsd
chromium -- multiple vulnerabilities
2021-07-15 00:00:00
ics
ics
​Siemens SINAMICS Medium Voltage Products
2023-06-15 12:00:00
Siemens SCALANCE, RUGGEDCOM Third-Party
2023-03-16 12:00:00
apple
apple
About the security content of watchOS 8.6
2022-05-16 00:00:00
About the security content of tvOS 15.5
2022-05-16 00:00:00
About the security content of Security Update 2022-004 Catalina
2022-05-16 00:00:00
tenable
tenable
[R1] Nessus Network Monitor 6.2.2 Fixes Multiple Vulnerabilities
2023-06-29 10:45:47
oracle
oracle
Oracle Critical Patch Update Advisory - January 2023
2023-01-17 00:00:00
Oracle Critical Patch Update Advisory - July 2022
2022-07-19 00:00:00
Oracle Critical Patch Update Advisory - April 2023
2023-04-18 00:00:00
JSON
Related for RUBY:NOKOGIRI-2021-30560
github2osv13nessus75veracode2photon11slackware2cnvd2gentoo3ubuntucve2alpinelinux2cbl_mariner4mageia2cve2mscve1prion2f51oraclelinux1fedora5debiancve2debian3cloudfoundry3almalinux1redhatcve1redos1ubuntu4suse8cloudlinux1rocky1redhat12amazon2ibm8altlinux1rosalinux1archlinux3kaspersky1chrome1freebsd1ics2apple6tenable1oracle3