Unchecked Return Value Affecting ruby-nokogiri package, versions <1.13.10+dfsg-1
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-DEBIANUNSTABLE-RUBYNOKOGIRI-3172975
- published 15 Dec 2022
- disclosed 8 Dec 2022
How to fix?
Upgrade Debian:unstable ruby-nokogiri to version 1.13.10+dfsg-1 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream ruby-nokogiri package and not the ruby-nokogiri package as distributed by Debian.
See How to fix? for Debian:unstable relevant fixed versions and status.
Nokogiri is an open source XML and HTML library for the Ruby programming language. Nokogiri 1.13.8 and 1.13.9 fail to check the return value from xmlTextReaderExpand in the method Nokogiri::XML::Reader#attribute_hash. This can lead to a null pointer exception when invalid markup is being parsed. For applications using XML::Reader to parse untrusted inputs, this may potentially be a vector for a denial of service attack. Users are advised to upgrade to Nokogiri >= 1.13.10. Users may be able to search their code for calls to either XML::Reader#attributes or XML::Reader#attribute_hash to determine if they are affected.
References
- https://security-tracker.debian.org/tracker/CVE-2022-23476
- https://github.com/sparklemotion/nokogiri/commit/9fe0761c47c0d4270d1a5220cfd25de080350d50
- https://github.com/sparklemotion/nokogiri/commit/85410e38410f670cbbc8c5b00d07b843caee88ce
- https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-qv4q-mr5r-qprj