In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsUpgrade nokogiri
to version 1.10.5 or higher.
nokogiri is a gem for parsing HTML, XML, SAX, and Reader.
Affected versions of this package are vulnerable to Uncontrolled Memory Allocation. Nokogiri bundles the libxslt
C library, that has been recently discovered to have vulnerabilities.
CVE-2019-13117
In numbers.c
in libxslt
1.1.33, an xsl:number
with certain format strings
could lead to a uninitialized read in xsltNumberFormatInsertNumbers
. This
could allow an attacker to discern whether a byte on the stack contains the
characters A
, a
, I
, i
, or 0
, or any other character.
CVE-2019-13118
In numbers.c
in libxslt
1.1.33, a type holding grouping characters of an
xsl:number
instruction was too narrow and an invalid character/length
combination could be passed to xsltNumberFormatDecimal
, leading to a read
of uninitialized stack data
CVE-2019-18197
In xsltCopyTex
t in transform.c
in libxslt
1.1.33, a pointer variable isn't
reset under certain circumstances. If the relevant memory area happened to
be freed and reused in a certain way, a bounds check could fail and memory
outside a buffer could be written to, or uninitialized data could be
disclosed.