CVE Vulnerability

CVE-2022-29181

Nokogiri is an open source XML and HTML library for Ruby. Nokogiri prior to version 1.13.6 does not type-check all inputs into the XML and HTML4 SAX parsers, allowing specially crafted untrusted inputs to cause illegal memory access errors (segfault) or reads from unrelated memory. Version 1.13.6 contains a patch for this issue. As a workaround, ensure the untrusted input is a `String` by calling `#to_s` or equivalent.

6.4 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 10 / Impact : 4.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact PARTIAL

Scope

8.2 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.6 Release Notes Third Party Advisory
https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xh29-r2w5-wx8m Issue Tracking Third Party Advisory
https://github.com/sparklemotion/nokogiri/commit/db05ba9a1bd4b90aa6c76742cf6102a7c7297267 Patch Third Party Advisory
https://securitylab.github.com/advisories/GHSL-2022-031_GHSL-2022-032_Nokogiri/ Exploit Third Party Advisory
https://security.gentoo.org/glsa/202208-29 Third Party Advisory
https://support.apple.com/kb/HT213532 Third Party Advisory
http://seclists.org/fulldisclosure/2022/Dec/23 Mailing List Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:nokogiri:nokogiri:*:*:*:*:*:ruby:*:*
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
Information

Published : 2022-05-20 07:15

Updated : 2023-02-16 02:31

NVD link : CVE-2022-29181

Mitre link : CVE-2022-29181

Products Affected

Apple

Macos

CWE
CWE-241

Improper Handling of Unexpected Data Type