Unchecked Return Value Affecting ruby-nokogiri package, versions <1.13.10-r0


Severity

Recommended
0.0
high
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

EPSS
0.12% (47th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-ALPINE321-RUBYNOKOGIRI-8489458
  • published6 Dec 2024
  • disclosed8 Dec 2022

Introduced: 8 Dec 2022

CVE-2022-23476  (opens in a new tab)
CWE-252  (opens in a new tab)
CWE-476  (opens in a new tab)

How to fix?

Upgrade Alpine:3.21 ruby-nokogiri to version 1.13.10-r0 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream ruby-nokogiri package and not the ruby-nokogiri package as distributed by Alpine. See How to fix? for Alpine:3.21 relevant fixed versions and status.

Nokogiri is an open source XML and HTML library for the Ruby programming language. Nokogiri 1.13.8 and 1.13.9 fail to check the return value from xmlTextReaderExpand in the method Nokogiri::XML::Reader#attribute_hash. This can lead to a null pointer exception when invalid markup is being parsed. For applications using XML::Reader to parse untrusted inputs, this may potentially be a vector for a denial of service attack. Users are advised to upgrade to Nokogiri &gt;= 1.13.10. Users may be able to search their code for calls to either XML::Reader#attributes or XML::Reader#attribute_hash to determine if they are affected.

CVSS Scores

version 3.1