Uncontrolled Memory Allocation Affecting nokogiri package, versions <1.10.5


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-RUBY-NOKOGIRI-534637
  • published19 Nov 2019
  • disclosed17 Nov 2019
  • creditUnknown

Introduced: 17 Nov 2019

CVE NOT AVAILABLE CWE-789  (opens in a new tab)

How to fix?

Upgrade nokogiri to version 1.10.5 or higher.

Overview

nokogiri is a gem for parsing HTML, XML, SAX, and Reader.

Affected versions of this package are vulnerable to Uncontrolled Memory Allocation. Nokogiri bundles the libxslt C library, that has been recently discovered to have vulnerabilities.

CVE-2019-13117 In numbers.c in libxslt 1.1.33, an xsl:number with certain format strings could lead to a uninitialized read in xsltNumberFormatInsertNumbers. This could allow an attacker to discern whether a byte on the stack contains the characters A, a, I, i, or 0, or any other character.

CVE-2019-13118 In numbers.c in libxslt 1.1.33, a type holding grouping characters of an xsl:number instruction was too narrow and an invalid character/length combination could be passed to xsltNumberFormatDecimal, leading to a read of uninitialized stack data

CVE-2019-18197 In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclosed.

CVSS Scores

version 3.1