28 matches found
Unchecked Return Value
Overview nokogiri is a gem for parsing HTML, XML, SAX, and Reader. Affected versions of this package are vulnerable to Unchecked Return Value from xmlC14NExecute, used in the canonicalize methods. These return and empty string rather than an error code for invalid and incomplete XML inputs...
GHSA-WX95-C6CV-8532 Nokogiri does not check the return value from xmlC14NExecute
Summary Nokogiri's CRuby extension fails to check the return value from xmlC14NExecute in the method Nokogiri::XML::Documentcanonicalize and Nokogiri::XML::Nodecanonicalize. When canonicalization fails, an empty string is returned instead of raising an exception. This incorrect return value may...
EUVD-2021-1954
Malware in sbrugna...
Fedora: Security Advisory for rubygem-puma (FEDORA-2022-de968d1b6c)
The remote host is missing an update for the Copyright C 2022 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...
Internet Bug Bounty: Rails::Html::SafeListSanitizer vulnerable to xss attack in an environment that allows the style tag
It seems to be a problem caused by a difference between the nokogiri java implementation and the ruby implementation. jruby9.3.3.0 nokogiri java, use Rails::Html::SafeListSanitizer.new.sanitize, allow select/style tag code tags = %wselect style puts...
GHSA-XH29-R2W5-WX8M Nokogiri Improperly Handles Unexpected Data Type
Summary Nokogiri = 1.13.6. JRuby users are not affected. Workarounds To avoid this vulnerability in affected applications, ensure the untrusted input is a String by calling tos or equivalent. Credit This vulnerability was responsibly reported by @agustingianni and the Github Security Lab...
Nokogiri Improperly Handles Unexpected Data Type
Summary Nokogiri = 1.13.6. JRuby users are not affected. Workarounds To avoid this vulnerability in affected applications, ensure the untrusted input is a String by calling tos or equivalent. Credit This vulnerability was responsibly reported by @agustingianni and the Github Security Lab...
Improper Handling of Unexpected Data Type in Nokogiri
Summary Nokogiri = 1.13.6. JRuby users are not affected. Workarounds To avoid this vulnerability in affected applications, ensure the untrusted input is a String by calling tos or equivalent...
Vulnerable dependencies in Nokogiri
Summary Nokogiri v1.13.2 upgrades two of its packaged dependencies: - vendored libxml2 from v2.9.12 to v2.9.13 - vendored libxslt from v1.1.34 to v1.1.35 Those library versions address the following upstream CVEs: - libxslt: CVE-2021-30560 CVSS 8.8, High severity - libxml2: CVE-2022-23308...
GHSA-FQ42-C5RG-92C2 Vulnerable dependencies in Nokogiri
Summary Nokogiri v1.13.2 upgrades two of its packaged dependencies: - vendored libxml2 from v2.9.12 to v2.9.13 - vendored libxslt from v1.1.34 to v1.1.35 Those library versions address the following upstream CVEs: - libxslt: CVE-2021-30560 CVSS 8.8, High severity - libxml2: CVE-2022-23308...
Xxe
Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default. Users of Nokogiri on JRuby who parse untrusted documents using any of these classes are...
CVE-2021-41098
Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default. Users of Nokogiri on JRuby who parse untrusted documents using any of these classes are...
GHSA-2RR5-8Q37-2W7H Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby
Severity The Nokogiri maintainers have evaluated this as High Severity 7.5 CVSS3.0 for JRuby users. This security advisory does not apply to CRuby users. Impact In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default. Users of Nokogiri on JRuby who par...
GHSA-7RRM-V45F-JP64 Nokogiri updates packaged dependency on libxml2 from 2.9.10 to 2.9.12
Summary Nokogiri v1.11.4 updates the vendored libxml2 from v2.9.10 to v2.9.12 which addresses: - CVE-2019-20388 Medium severity - CVE-2020-24977 Medium severity - CVE-2021-3517 Medium severity - CVE-2021-3518 Medium severity - CVE-2021-3537 Low severity - CVE-2021-3541 Low severity Note that two...
Denial of Service (DoS)
Overview nokogiri is a gem for parsing HTML, XML, SAX, and Reader. Affected versions of this package are vulnerable to Denial of Service DoS. Vulnerable version of libxml2 was used. The fix to this updates the vendored libxml2 from v2.9.10 to v2.9.12 which addresses: - CVE-2019-20388 -...
Nokogiri updates packaged dependency on libxml2 from 2.9.10 to 2.9.12
Summary Nokogiri v1.11.4 updates the vendored libxml2 from v2.9.10 to v2.9.12 which addresses: - CVE-2019-20388 Medium severity - CVE-2020-24977 Medium severity - CVE-2021-3517 Medium severity - CVE-2021-3518 Medium severity - CVE-2021-3537 Low severity - CVE-2021-3541 Low severity Note that two...
Fedora: Security Advisory for rubygem-puma (FEDORA-2020-fe354f24e8)
The remote host is missing an update for the Copyright C 2020 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...
Amazon Linux AMI : ruby (ALAS-2012-35)
Ruby aka CRuby before 1.8.7-p357 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service CPU consumption via crafted input to an application that maintains a hash table. C Tenable Network...
CVE-2012-5371
Ruby aka CRuby 1.9 before 1.9.3-p327 and 2.0 before r37575 computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service CPU consumption via crafted input to an application that maintains...
CVE-2012-5371
CVE-2012-5371 affects Ruby (CRuby) 1.9 prior to 1.9.3-p327 and 2.0 prior to r37575. The issue is that hash values can be triggered for collisions without proper restriction, enabling context-dependent attackers to cause CPU-driven denial of service via crafted input to hash-table data structures,...