7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
nokogiri has a copied version of the Libxml2 library. Libxml2 is susceptible to 2 stack overflow vulnerabilities. The first is CVE-2017-9047. The function xmlSnprintfElementContent
in valid.c
does not recursively dump the element content definition into a char buffer buf
of size size
. When the content->prefix
is appended to buf
, the content->name
is written to the buffer. It checks whether the name will fit into the buffer, however it uses the len
variable as the buffer length rather than the concatenated strlen(buf)
variable. This only happens when content->type
is XML_ELEMENT_CONTENT_ELEMENT
. Failing to do this check correctly, allows attackers to write extra bytes beyond the allocated memory. The second is CVE-2017-9048. The end of the function xmlSnprintfElementContent
in valid.c
. Libxml2 doesnโt check that strlen(buf) +2 < size
which allows the function to strcat
2 more characters.
seclists.org/oss-sec/2017/q2/258
www.debian.org/security/2017/dsa-3952
www.openwall.com/lists/oss-security/2017/05/15/1
www.securityfocus.com/bid/98599
bugzilla.novell.com/show_bug.cgi?id=1039063
bugzilla.novell.com/show_bug.cgi?id=1039064
github.com/GNOME/libxml2/commit/932cc9896ab41475d4aa429c27d9afd175959d74
github.com/sparklemotion/nokogiri/issues/1673
lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E
lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E
security.gentoo.org/glsa/201711-01
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P