9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
nokogiri is vulnerable to command injection. The vulnerability exists as commands can be executed in a subprocess by Ruby’s Kernel.open
through Nokogiri::CSS::Tokenizer#load_file
.
CPE | Name | Operator | Version |
---|---|---|---|
nokogiri | le | 1.10.3 | |
ruby-nokogiri:xenial | eq | 1.6.7.2 | |
ruby-nokogiri:bionic | eq | 1.8.2 | |
nokogiri | le | 1.10.3 | |
ruby-nokogiri:xenial | eq | 1.6.7.2 | |
ruby-nokogiri:bionic | eq | 1.8.2 |
github.com/sparklemotion/nokogiri/commit/daffe223967b74b3205513b5e600aa5dfefe687d
github.com/sparklemotion/nokogiri/issues/1915
github.com/tenderlove/rexical/blob/master/CHANGELOG.rdoc
hackerone.com/reports/650835
lists.debian.org/debian-lts-announce/2019/09/msg00027.html
lists.debian.org/debian-lts-announce/2022/10/msg00018.html
lists.debian.org/debian-lts-announce/2022/10/msg00019.html
security.gentoo.org/glsa/202006-05
usn.ubuntu.com/4175-1/
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P