Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:gem/nokogiri@1.16
Typegem
Namespace
Namenokogiri
Version1.16
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version1.19.1
Latest_non_vulnerable_version1.19.1
Affected_by_vulnerabilities
0
url VCID-365e-j8ta-h7cn
vulnerability_id VCID-365e-j8ta-h7cn
summary 
Nokogiri update packaged libxml2 to v2.12.5 to resolve CVE-2024-25062
## Summary

Nokogiri upgrades its dependency libxml2 as follows:
- Nokogiri v1.15.6 upgrades libxml2 to [2.11.7](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.7) from 2.11.6
- Nokogiri v1.16.2 upgrades libxml2 to [2.12.5](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.5) from 2.12.4

libxml2 v2.11.7 and v2.12.5 address the following vulnerability:

- CVE-2024-25062 / https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25062
  - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/604
  - patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970

Please note that this advisory only applies to the CRuby implementation of Nokogiri, and only if the _packaged_ libraries are being used. If you've overridden defaults at installation time to use _system_ libraries instead of packaged libraries, you should instead pay attention to your distro's `libxml2` release announcements.

JRuby users are not affected.

## Mitigation

Upgrade to Nokogiri `~> 1.15.6` or `>= 1.16.2`.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile
and link Nokogiri against patched external libxml2 libraries which will also address these same
issues.

## Impact

From the CVE description, this issue applies to the `xmlTextReader` module (which underlies `Nokogiri::XML::Reader`):

> When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.

## Timeline

- 2024-02-04 10:35 EST - this GHSA is drafted without complete details about when the upstream issue was introduced; a request is made of libxml2 maintainers for more detailed information
- 2024-02-04 10:48 EST - updated GHSA to reflect libxml2 maintainers' confirmation of affected versions
- 2024-02-04 11:54 EST - v1.16.2 published, this GHSA made public
- 2024-02-05 10:18 EST - updated with MITRE link to the CVE information, and updated "Impact" section
- 2024-03-16 09:03 EDT - v1.15.6 published (see discussion at https://github.com/sparklemotion/nokogiri/discussions/3146), updated mitigation information
- 2024-03-18 22:12 EDT - update "affected products" range with v1.15.6 information
references
0
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/GHSA-xc9x-jj77-9p9j.yml
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/GHSA-xc9x-jj77-9p9j.yml
1
reference_url https://github.com/sparklemotion/nokogiri
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/sparklemotion/nokogiri
2
reference_url https://github.com/sparklemotion/nokogiri/discussions/3146
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/sparklemotion/nokogiri/discussions/3146
3
reference_url https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xc9x-jj77-9p9j
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xc9x-jj77-9p9j
4
reference_url https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970
5
reference_url https://gitlab.gnome.org/GNOME/libxml2/-/issues/604
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://gitlab.gnome.org/GNOME/libxml2/-/issues/604
6
reference_url https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.5
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.5
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-25062
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-25062
8
reference_url https://github.com/advisories/GHSA-xc9x-jj77-9p9j
reference_id GHSA-xc9x-jj77-9p9j
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-xc9x-jj77-9p9j
fixed_packages
0
url pkg:gem/nokogiri@1.16.2
purl pkg:gem/nokogiri@1.16.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-6r5w-pgkx-v3cb
1
vulnerability VCID-c6hb-sbhx-zqac
2
vulnerability VCID-ghbk-uumc-dug3
3
vulnerability VCID-jfh3-1sgm-7ug2
4
vulnerability VCID-q732-nexj-1ue6
5
vulnerability VCID-uf9q-1ds5-wbev
6
vulnerability VCID-w8jf-tsmr-g7cd
7
vulnerability VCID-yeku-1zjh-kbea
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.16.2
aliases GHSA-xc9x-jj77-9p9j, GMS-2024-127
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-365e-j8ta-h7cn
Fixing_vulnerabilities
Risk_score3.1
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.16