| 0 |
| url |
VCID-124d-zrmb-xue8 |
| vulnerability_id |
VCID-124d-zrmb-xue8 |
| summary |
Multiple vulnerabilities in libxml2, libxslt
The vendored libxml2 and libxslt libraries have multiple vulnerabilities: CVE-2015-1819 CVE-2015-7941_1 CVE-2015-7941_2 CVE-2015-7942 CVE-2015-7942-2 CVE-2015-8035 CVE-2015-7995 |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:gem/nokogiri@1.6.6.3 |
| purl |
pkg:gem/nokogiri@1.6.6.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1sh8-bsk3-auct |
|
| 1 |
| vulnerability |
VCID-2r85-egs8-4be3 |
|
| 2 |
| vulnerability |
VCID-4sg9-pjmx-6kfy |
|
| 3 |
| vulnerability |
VCID-5838-r3hp-wke4 |
|
| 4 |
| vulnerability |
VCID-5g9a-2484-rucp |
|
| 5 |
| vulnerability |
VCID-5xuf-r7bj-33fa |
|
| 6 |
| vulnerability |
VCID-66gp-78uh-aqem |
|
| 7 |
| vulnerability |
VCID-67gm-m1up-gfaf |
|
| 8 |
| vulnerability |
VCID-6t8y-27ba-cfa2 |
|
| 9 |
| vulnerability |
VCID-74wj-a72v-s3gk |
|
| 10 |
| vulnerability |
VCID-9m3t-anwb-4fbx |
|
| 11 |
| vulnerability |
VCID-aef6-wkbr-1kfb |
|
| 12 |
| vulnerability |
VCID-akrb-6bu8-nqfq |
|
| 13 |
| vulnerability |
VCID-b8q3-sd61-rqhf |
|
| 14 |
| vulnerability |
VCID-ba5w-ed8b-duar |
|
| 15 |
| vulnerability |
VCID-bgcq-x9bd-83ap |
|
| 16 |
| vulnerability |
VCID-by7n-zrpn-jubw |
|
| 17 |
| vulnerability |
VCID-cgmw-k7dg-gbdw |
|
| 18 |
| vulnerability |
VCID-chdv-jk6d-uuga |
|
| 19 |
| vulnerability |
VCID-d13x-y75t-2ugx |
|
| 20 |
| vulnerability |
VCID-e2q6-558r-4kam |
|
| 21 |
| vulnerability |
VCID-e8w6-ax3x-wqan |
|
| 22 |
| vulnerability |
VCID-efx2-bpu9-z7a4 |
|
| 23 |
| vulnerability |
VCID-egft-crba-6ubx |
|
| 24 |
| vulnerability |
VCID-fn1n-adz5-5fcy |
|
| 25 |
| vulnerability |
VCID-ft4s-195a-8fcf |
|
| 26 |
| vulnerability |
VCID-gdgu-7d3a-uygr |
|
| 27 |
| vulnerability |
VCID-gvjg-dk1p-2uek |
|
| 28 |
| vulnerability |
VCID-gwrv-agck-yuex |
|
| 29 |
| vulnerability |
VCID-j98t-paam-97ec |
|
| 30 |
| vulnerability |
VCID-jvd7-7jes-4ffn |
|
| 31 |
| vulnerability |
VCID-jxz3-ug52-cuhn |
|
| 32 |
| vulnerability |
VCID-ktyd-dgdw-pber |
|
| 33 |
| vulnerability |
VCID-m91c-mfu9-bbbh |
|
| 34 |
| vulnerability |
VCID-mgf4-zdnr-tba4 |
|
| 35 |
| vulnerability |
VCID-nuzy-ruzb-dke6 |
|
| 36 |
| vulnerability |
VCID-p6m6-7kgc-y3g8 |
|
| 37 |
| vulnerability |
VCID-pb6j-zdqw-g7cj |
|
| 38 |
| vulnerability |
VCID-pr2j-1118-hqaa |
|
| 39 |
| vulnerability |
VCID-q3td-7t4g-57ba |
|
| 40 |
| vulnerability |
VCID-qa31-1xtw-ybdg |
|
| 41 |
| vulnerability |
VCID-qkq6-n1ds-x7e5 |
|
| 42 |
| vulnerability |
VCID-tggj-xch8-jqcv |
|
| 43 |
| vulnerability |
VCID-u2yz-dthy-1fdr |
|
| 44 |
| vulnerability |
VCID-u6wn-nety-sbde |
|
| 45 |
| vulnerability |
VCID-u9b2-qx2j-c7by |
|
| 46 |
| vulnerability |
VCID-u9gg-kzf2-9qap |
|
| 47 |
| vulnerability |
VCID-ueh5-fv4d-a7a8 |
|
| 48 |
| vulnerability |
VCID-uk9u-nn9a-4yes |
|
| 49 |
| vulnerability |
VCID-wnj6-hc4g-ykfs |
|
| 50 |
| vulnerability |
VCID-yjn6-17qx-9ubc |
|
| 51 |
| vulnerability |
VCID-yrjg-2aw9-effx |
|
| 52 |
| vulnerability |
VCID-zudy-xe9p-3fgm |
|
| 53 |
| vulnerability |
VCID-zx33-nyvt-vbe9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.6.6.3 |
|
| 1 |
| url |
pkg:gem/nokogiri@1.6.7.rc4 |
| purl |
pkg:gem/nokogiri@1.6.7.rc4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1sh8-bsk3-auct |
|
| 1 |
| vulnerability |
VCID-2r85-egs8-4be3 |
|
| 2 |
| vulnerability |
VCID-4sg9-pjmx-6kfy |
|
| 3 |
| vulnerability |
VCID-5838-r3hp-wke4 |
|
| 4 |
| vulnerability |
VCID-5g9a-2484-rucp |
|
| 5 |
| vulnerability |
VCID-5xuf-r7bj-33fa |
|
| 6 |
| vulnerability |
VCID-66gp-78uh-aqem |
|
| 7 |
| vulnerability |
VCID-67gm-m1up-gfaf |
|
| 8 |
| vulnerability |
VCID-6t8y-27ba-cfa2 |
|
| 9 |
| vulnerability |
VCID-74wj-a72v-s3gk |
|
| 10 |
| vulnerability |
VCID-9m3t-anwb-4fbx |
|
| 11 |
| vulnerability |
VCID-aef6-wkbr-1kfb |
|
| 12 |
| vulnerability |
VCID-akrb-6bu8-nqfq |
|
| 13 |
| vulnerability |
VCID-b8q3-sd61-rqhf |
|
| 14 |
| vulnerability |
VCID-bgcq-x9bd-83ap |
|
| 15 |
| vulnerability |
VCID-by7n-zrpn-jubw |
|
| 16 |
| vulnerability |
VCID-chdv-jk6d-uuga |
|
| 17 |
| vulnerability |
VCID-d13x-y75t-2ugx |
|
| 18 |
| vulnerability |
VCID-e2q6-558r-4kam |
|
| 19 |
| vulnerability |
VCID-e8w6-ax3x-wqan |
|
| 20 |
| vulnerability |
VCID-efx2-bpu9-z7a4 |
|
| 21 |
| vulnerability |
VCID-egft-crba-6ubx |
|
| 22 |
| vulnerability |
VCID-fn1n-adz5-5fcy |
|
| 23 |
| vulnerability |
VCID-ft4s-195a-8fcf |
|
| 24 |
| vulnerability |
VCID-gdgu-7d3a-uygr |
|
| 25 |
| vulnerability |
VCID-gvjg-dk1p-2uek |
|
| 26 |
| vulnerability |
VCID-gwrv-agck-yuex |
|
| 27 |
| vulnerability |
VCID-j98t-paam-97ec |
|
| 28 |
| vulnerability |
VCID-jvd7-7jes-4ffn |
|
| 29 |
| vulnerability |
VCID-jxz3-ug52-cuhn |
|
| 30 |
| vulnerability |
VCID-ktyd-dgdw-pber |
|
| 31 |
| vulnerability |
VCID-m91c-mfu9-bbbh |
|
| 32 |
| vulnerability |
VCID-mgf4-zdnr-tba4 |
|
| 33 |
| vulnerability |
VCID-nuzy-ruzb-dke6 |
|
| 34 |
| vulnerability |
VCID-p6m6-7kgc-y3g8 |
|
| 35 |
| vulnerability |
VCID-pb6j-zdqw-g7cj |
|
| 36 |
| vulnerability |
VCID-pr2j-1118-hqaa |
|
| 37 |
| vulnerability |
VCID-q3td-7t4g-57ba |
|
| 38 |
| vulnerability |
VCID-qa31-1xtw-ybdg |
|
| 39 |
| vulnerability |
VCID-qkq6-n1ds-x7e5 |
|
| 40 |
| vulnerability |
VCID-tggj-xch8-jqcv |
|
| 41 |
| vulnerability |
VCID-u2yz-dthy-1fdr |
|
| 42 |
| vulnerability |
VCID-u6wn-nety-sbde |
|
| 43 |
| vulnerability |
VCID-u9b2-qx2j-c7by |
|
| 44 |
| vulnerability |
VCID-u9gg-kzf2-9qap |
|
| 45 |
| vulnerability |
VCID-ueh5-fv4d-a7a8 |
|
| 46 |
| vulnerability |
VCID-uk9u-nn9a-4yes |
|
| 47 |
| vulnerability |
VCID-wnj6-hc4g-ykfs |
|
| 48 |
| vulnerability |
VCID-yjn6-17qx-9ubc |
|
| 49 |
| vulnerability |
VCID-yrjg-2aw9-effx |
|
| 50 |
| vulnerability |
VCID-zudy-xe9p-3fgm |
|
| 51 |
| vulnerability |
VCID-zx33-nyvt-vbe9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.6.7.rc4 |
|
|
| aliases |
GMS-2015-42
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-124d-zrmb-xue8 |
|
| 1 |
| url |
VCID-1sh8-bsk3-auct |
| vulnerability_id |
VCID-1sh8-bsk3-auct |
| summary |
libxml2 has a global Buffer Overflow vulnerability in `xmlEncodeEntitiesInternal` at `libxml2/entities.c`. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/nokogiri@1.11.4 |
| purl |
pkg:gem/nokogiri@1.11.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-5838-r3hp-wke4 |
|
| 1 |
| vulnerability |
VCID-5g9a-2484-rucp |
|
| 2 |
| vulnerability |
VCID-66gp-78uh-aqem |
|
| 3 |
| vulnerability |
VCID-67gm-m1up-gfaf |
|
| 4 |
| vulnerability |
VCID-74wj-a72v-s3gk |
|
| 5 |
| vulnerability |
VCID-aef6-wkbr-1kfb |
|
| 6 |
| vulnerability |
VCID-bgcq-x9bd-83ap |
|
| 7 |
| vulnerability |
VCID-chdv-jk6d-uuga |
|
| 8 |
| vulnerability |
VCID-d13x-y75t-2ugx |
|
| 9 |
| vulnerability |
VCID-e2q6-558r-4kam |
|
| 10 |
| vulnerability |
VCID-gvjg-dk1p-2uek |
|
| 11 |
| vulnerability |
VCID-ktyd-dgdw-pber |
|
| 12 |
| vulnerability |
VCID-mgf4-zdnr-tba4 |
|
| 13 |
| vulnerability |
VCID-p6m6-7kgc-y3g8 |
|
| 14 |
| vulnerability |
VCID-pb6j-zdqw-g7cj |
|
| 15 |
| vulnerability |
VCID-pr2j-1118-hqaa |
|
| 16 |
| vulnerability |
VCID-q3td-7t4g-57ba |
|
| 17 |
| vulnerability |
VCID-qa31-1xtw-ybdg |
|
| 18 |
| vulnerability |
VCID-qkq6-n1ds-x7e5 |
|
| 19 |
| vulnerability |
VCID-tggj-xch8-jqcv |
|
| 20 |
| vulnerability |
VCID-u2yz-dthy-1fdr |
|
| 21 |
| vulnerability |
VCID-u6wn-nety-sbde |
|
| 22 |
| vulnerability |
VCID-u9gg-kzf2-9qap |
|
| 23 |
| vulnerability |
VCID-wnj6-hc4g-ykfs |
|
| 24 |
| vulnerability |
VCID-yrjg-2aw9-effx |
|
| 25 |
| vulnerability |
VCID-zudy-xe9p-3fgm |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.11.4 |
|
|
| aliases |
CVE-2020-24977
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-1sh8-bsk3-auct |
|
| 2 |
| url |
VCID-2r85-egs8-4be3 |
| vulnerability_id |
VCID-2r85-egs8-4be3 |
| summary |
Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability
### Description
In Nokogiri versions <= 1.11.0.rc3, XML Schemas parsed by `Nokogiri::XML::Schema`
are **trusted** by default, allowing external resources to be accessed over the
network, potentially enabling XXE or SSRF attacks.
This behavior is counter to
the security policy followed by Nokogiri maintainers, which is to treat all input
as **untrusted** by default whenever possible.
Please note that this security
fix was pushed into a new minor version, 1.11.x, rather than a patch release to
the 1.10.x branch, because it is a breaking change for some schemas and the risk
was assessed to be "Low Severity".
### Affected Versions
Nokogiri `<= 1.10.10` as well as prereleases `1.11.0.rc1`, `1.11.0.rc2`, and `1.11.0.rc3`
### Mitigation
There are no known workarounds for affected versions. Upgrade to Nokogiri
`1.11.0.rc4` or later.
If, after upgrading to `1.11.0.rc4` or later, you wish
to re-enable network access for resolution of external resources (i.e., return to
the previous behavior):
1. Ensure the input is trusted. Do not enable this option
for untrusted input.
2. When invoking the `Nokogiri::XML::Schema` constructor,
pass as the second parameter an instance of `Nokogiri::XML::ParseOptions` with the
`NONET` flag turned off.
So if your previous code was:
``` ruby
# in v1.11.0.rc3 and earlier, this call allows resources to be accessed over the network
# but in v1.11.0.rc4 and later, this call will disallow network access for external resources
schema = Nokogiri::XML::Schema.new(schema)
# in v1.11.0.rc4 and later, the following is equivalent to the code above
# (the second parameter is optional, and this demonstrates its default value)
schema = Nokogiri::XML::Schema.new(schema, Nokogiri::XML::ParseOptions::DEFAULT_SCHEMA)
```
Then you can add the second parameter to indicate that the input is trusted by changing it to:
``` ruby
# in v1.11.0.rc3 and earlier, this would raise an ArgumentError
# but in v1.11.0.rc4 and later, this allows resources to be accessed over the network
schema = Nokogiri::XML::Schema.new(trusted_schema, Nokogiri::XML::ParseOptions.new.nononet)
``` |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/nokogiri@1.11.0 |
| purl |
pkg:gem/nokogiri@1.11.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-4sg9-pjmx-6kfy |
|
| 1 |
| vulnerability |
VCID-5838-r3hp-wke4 |
|
| 2 |
| vulnerability |
VCID-5g9a-2484-rucp |
|
| 3 |
| vulnerability |
VCID-66gp-78uh-aqem |
|
| 4 |
| vulnerability |
VCID-67gm-m1up-gfaf |
|
| 5 |
| vulnerability |
VCID-6t8y-27ba-cfa2 |
|
| 6 |
| vulnerability |
VCID-74wj-a72v-s3gk |
|
| 7 |
| vulnerability |
VCID-aef6-wkbr-1kfb |
|
| 8 |
| vulnerability |
VCID-bgcq-x9bd-83ap |
|
| 9 |
| vulnerability |
VCID-chdv-jk6d-uuga |
|
| 10 |
| vulnerability |
VCID-d13x-y75t-2ugx |
|
| 11 |
| vulnerability |
VCID-e2q6-558r-4kam |
|
| 12 |
| vulnerability |
VCID-e8w6-ax3x-wqan |
|
| 13 |
| vulnerability |
VCID-gvjg-dk1p-2uek |
|
| 14 |
| vulnerability |
VCID-ktyd-dgdw-pber |
|
| 15 |
| vulnerability |
VCID-mgf4-zdnr-tba4 |
|
| 16 |
| vulnerability |
VCID-nuzy-ruzb-dke6 |
|
| 17 |
| vulnerability |
VCID-p6m6-7kgc-y3g8 |
|
| 18 |
| vulnerability |
VCID-pb6j-zdqw-g7cj |
|
| 19 |
| vulnerability |
VCID-pr2j-1118-hqaa |
|
| 20 |
| vulnerability |
VCID-q3td-7t4g-57ba |
|
| 21 |
| vulnerability |
VCID-qa31-1xtw-ybdg |
|
| 22 |
| vulnerability |
VCID-qkq6-n1ds-x7e5 |
|
| 23 |
| vulnerability |
VCID-tggj-xch8-jqcv |
|
| 24 |
| vulnerability |
VCID-u2yz-dthy-1fdr |
|
| 25 |
| vulnerability |
VCID-u6wn-nety-sbde |
|
| 26 |
| vulnerability |
VCID-u9gg-kzf2-9qap |
|
| 27 |
| vulnerability |
VCID-wnj6-hc4g-ykfs |
|
| 28 |
| vulnerability |
VCID-yjn6-17qx-9ubc |
|
| 29 |
| vulnerability |
VCID-yrjg-2aw9-effx |
|
| 30 |
| vulnerability |
VCID-zudy-xe9p-3fgm |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.11.0 |
|
|
| aliases |
CVE-2020-26247, GHSA-vr8q-g5c7-m54m
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2r85-egs8-4be3 |
|
| 3 |
| url |
VCID-4sg9-pjmx-6kfy |
| vulnerability_id |
VCID-4sg9-pjmx-6kfy |
| summary |
multiple issues |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/nokogiri@1.11.4 |
| purl |
pkg:gem/nokogiri@1.11.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-5838-r3hp-wke4 |
|
| 1 |
| vulnerability |
VCID-5g9a-2484-rucp |
|
| 2 |
| vulnerability |
VCID-66gp-78uh-aqem |
|
| 3 |
| vulnerability |
VCID-67gm-m1up-gfaf |
|
| 4 |
| vulnerability |
VCID-74wj-a72v-s3gk |
|
| 5 |
| vulnerability |
VCID-aef6-wkbr-1kfb |
|
| 6 |
| vulnerability |
VCID-bgcq-x9bd-83ap |
|
| 7 |
| vulnerability |
VCID-chdv-jk6d-uuga |
|
| 8 |
| vulnerability |
VCID-d13x-y75t-2ugx |
|
| 9 |
| vulnerability |
VCID-e2q6-558r-4kam |
|
| 10 |
| vulnerability |
VCID-gvjg-dk1p-2uek |
|
| 11 |
| vulnerability |
VCID-ktyd-dgdw-pber |
|
| 12 |
| vulnerability |
VCID-mgf4-zdnr-tba4 |
|
| 13 |
| vulnerability |
VCID-p6m6-7kgc-y3g8 |
|
| 14 |
| vulnerability |
VCID-pb6j-zdqw-g7cj |
|
| 15 |
| vulnerability |
VCID-pr2j-1118-hqaa |
|
| 16 |
| vulnerability |
VCID-q3td-7t4g-57ba |
|
| 17 |
| vulnerability |
VCID-qa31-1xtw-ybdg |
|
| 18 |
| vulnerability |
VCID-qkq6-n1ds-x7e5 |
|
| 19 |
| vulnerability |
VCID-tggj-xch8-jqcv |
|
| 20 |
| vulnerability |
VCID-u2yz-dthy-1fdr |
|
| 21 |
| vulnerability |
VCID-u6wn-nety-sbde |
|
| 22 |
| vulnerability |
VCID-u9gg-kzf2-9qap |
|
| 23 |
| vulnerability |
VCID-wnj6-hc4g-ykfs |
|
| 24 |
| vulnerability |
VCID-yrjg-2aw9-effx |
|
| 25 |
| vulnerability |
VCID-zudy-xe9p-3fgm |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.11.4 |
|
|
| aliases |
CVE-2021-3541
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-4sg9-pjmx-6kfy |
|
| 4 |
| url |
VCID-5838-r3hp-wke4 |
| vulnerability_id |
VCID-5838-r3hp-wke4 |
| summary |
Integer Overflow or Wraparound in libxml2 affects Nokogiri
### Summary
Nokogiri v1.13.5 upgrades the packaged version of its dependency libxml2 from
v2.9.13 to [v2.9.14](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.9.14).
libxml2 v2.9.14 addresses [CVE-2022-29824](https://nvd.nist.gov/vuln/detail/CVE-2022-29824).
This version also includes several security-related bug fixes for which CVEs were not created,
including a potential double-free, potential memory leaks, and integer-overflow.
Please note that this advisory only applies to the CRuby implementation of Nokogiri
`< 1.13.5`, and only if the _packaged_ libraries are being used. If you've overridden
defaults at installation time to use _system_ libraries instead of packaged libraries,
you should instead pay attention to your distro's `libxml2` and `libxslt` release announcements.
### Mitigation
Upgrade to Nokogiri `>= 1.13.5`.
Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation:
compile and link Nokogiri against external libraries libxml2 `>= 2.9.14` which will also
address these same issues.
### Impact
#### libxml2 [CVE-2022-29824](https://nvd.nist.gov/vuln/detail/CVE-2022-29824)
- **CVSS3 score**:
- Unspecified upstream
- Nokogiri maintainers evaluate at 8.6 (High) ([CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H)). Note that this is different from the CVSS assessed by NVD.
- **Type**: Denial of service, information disclosure
- **Description**: In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software using libxml2's buffer functions, for example libxslt through 1.1.35, is affected as well.
- **Fixed**: https://gitlab.gnome.org/GNOME/libxml2/-/commit/2554a24
All versions of libml2 prior to v2.9.14 are affected.
Applications parsing or serializing multi-gigabyte documents (in excess of INT_MAX bytes) may be vulnerable to an integer overflow bug in buffer handling that could lead to exposure of confidential data, modification of unrelated data, or a segmentation fault resulting in a denial-of-service.
### References
- [libxml2 v2.9.14 release notes](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.9.14)
- [CVE-2022-29824](https://nvd.nist.gov/vuln/detail/CVE-2022-29824)
- [CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer](https://cwe.mitre.org/data/definitions/119.html) |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:gem/nokogiri@1.13.5 |
| purl |
pkg:gem/nokogiri@1.13.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-5g9a-2484-rucp |
|
| 1 |
| vulnerability |
VCID-66gp-78uh-aqem |
|
| 2 |
| vulnerability |
VCID-67gm-m1up-gfaf |
|
| 3 |
| vulnerability |
VCID-chdv-jk6d-uuga |
|
| 4 |
| vulnerability |
VCID-d13x-y75t-2ugx |
|
| 5 |
| vulnerability |
VCID-e2q6-558r-4kam |
|
| 6 |
| vulnerability |
VCID-gvjg-dk1p-2uek |
|
| 7 |
| vulnerability |
VCID-ktyd-dgdw-pber |
|
| 8 |
| vulnerability |
VCID-mgf4-zdnr-tba4 |
|
| 9 |
| vulnerability |
VCID-p6m6-7kgc-y3g8 |
|
| 10 |
| vulnerability |
VCID-pb6j-zdqw-g7cj |
|
| 11 |
| vulnerability |
VCID-pr2j-1118-hqaa |
|
| 12 |
| vulnerability |
VCID-q3td-7t4g-57ba |
|
| 13 |
| vulnerability |
VCID-qa31-1xtw-ybdg |
|
| 14 |
| vulnerability |
VCID-u6wn-nety-sbde |
|
| 15 |
| vulnerability |
VCID-wnj6-hc4g-ykfs |
|
| 16 |
| vulnerability |
VCID-yrjg-2aw9-effx |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.13.5 |
|
|
| aliases |
GHSA-cgx6-hpwq-fhv5, GMS-2022-1438
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5838-r3hp-wke4 |
|
| 5 |
| url |
VCID-5g9a-2484-rucp |
| vulnerability_id |
VCID-5g9a-2484-rucp |
| summary |
An issue was discovered in libxml2 before 2.10.3. Certain invalid XML entity definitions can corrupt a hash table key, potentially leading to subsequent logic errors. In one case, a double-free can be provoked. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/nokogiri@1.13.9 |
| purl |
pkg:gem/nokogiri@1.13.9 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-66gp-78uh-aqem |
|
| 1 |
| vulnerability |
VCID-67gm-m1up-gfaf |
|
| 2 |
| vulnerability |
VCID-chdv-jk6d-uuga |
|
| 3 |
| vulnerability |
VCID-d13x-y75t-2ugx |
|
| 4 |
| vulnerability |
VCID-e2q6-558r-4kam |
|
| 5 |
| vulnerability |
VCID-gvjg-dk1p-2uek |
|
| 6 |
| vulnerability |
VCID-mgf4-zdnr-tba4 |
|
| 7 |
| vulnerability |
VCID-p6m6-7kgc-y3g8 |
|
| 8 |
| vulnerability |
VCID-pb6j-zdqw-g7cj |
|
| 9 |
| vulnerability |
VCID-q3td-7t4g-57ba |
|
| 10 |
| vulnerability |
VCID-qhx2-j1jc-cyev |
|
| 11 |
| vulnerability |
VCID-u6wn-nety-sbde |
|
| 12 |
| vulnerability |
VCID-wnj6-hc4g-ykfs |
|
| 13 |
| vulnerability |
VCID-yrjg-2aw9-effx |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.13.9 |
|
|
| aliases |
CVE-2022-40304
|
| risk_score |
3.5 |
| exploitability |
0.5 |
| weighted_severity |
7.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5g9a-2484-rucp |
|
| 6 |
| url |
VCID-5xuf-r7bj-33fa |
| vulnerability_id |
VCID-5xuf-r7bj-33fa |
| summary |
Improper Input Validation
In `numbers.c` in libxslt, which is used by nokogiri, an `xsl:number` with certain format strings could lead to an uninitialized read in `xsltNumberFormatInsertNumbers`. This could allow an attacker to discern whether a byte on the stack contains the characters `[AaIi0]`, or any other character. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
| reference_url |
https://usn.ubuntu.com/4164-1/ |
| reference_id |
4164-1 |
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-28T18:31:22Z/ |
|
|
| url |
https://usn.ubuntu.com/4164-1/ |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/nokogiri@1.10.5 |
| purl |
pkg:gem/nokogiri@1.10.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1sh8-bsk3-auct |
|
| 1 |
| vulnerability |
VCID-2r85-egs8-4be3 |
|
| 2 |
| vulnerability |
VCID-4sg9-pjmx-6kfy |
|
| 3 |
| vulnerability |
VCID-5838-r3hp-wke4 |
|
| 4 |
| vulnerability |
VCID-5g9a-2484-rucp |
|
| 5 |
| vulnerability |
VCID-66gp-78uh-aqem |
|
| 6 |
| vulnerability |
VCID-67gm-m1up-gfaf |
|
| 7 |
| vulnerability |
VCID-6t8y-27ba-cfa2 |
|
| 8 |
| vulnerability |
VCID-74wj-a72v-s3gk |
|
| 9 |
| vulnerability |
VCID-aef6-wkbr-1kfb |
|
| 10 |
| vulnerability |
VCID-bgcq-x9bd-83ap |
|
| 11 |
| vulnerability |
VCID-chdv-jk6d-uuga |
|
| 12 |
| vulnerability |
VCID-d13x-y75t-2ugx |
|
| 13 |
| vulnerability |
VCID-e2q6-558r-4kam |
|
| 14 |
| vulnerability |
VCID-e8w6-ax3x-wqan |
|
| 15 |
| vulnerability |
VCID-gvjg-dk1p-2uek |
|
| 16 |
| vulnerability |
VCID-jxz3-ug52-cuhn |
|
| 17 |
| vulnerability |
VCID-ktyd-dgdw-pber |
|
| 18 |
| vulnerability |
VCID-mgf4-zdnr-tba4 |
|
| 19 |
| vulnerability |
VCID-nuzy-ruzb-dke6 |
|
| 20 |
| vulnerability |
VCID-p6m6-7kgc-y3g8 |
|
| 21 |
| vulnerability |
VCID-pb6j-zdqw-g7cj |
|
| 22 |
| vulnerability |
VCID-pr2j-1118-hqaa |
|
| 23 |
| vulnerability |
VCID-q3td-7t4g-57ba |
|
| 24 |
| vulnerability |
VCID-qa31-1xtw-ybdg |
|
| 25 |
| vulnerability |
VCID-qkq6-n1ds-x7e5 |
|
| 26 |
| vulnerability |
VCID-tggj-xch8-jqcv |
|
| 27 |
| vulnerability |
VCID-u2yz-dthy-1fdr |
|
| 28 |
| vulnerability |
VCID-u6wn-nety-sbde |
|
| 29 |
| vulnerability |
VCID-u9gg-kzf2-9qap |
|
| 30 |
| vulnerability |
VCID-wnj6-hc4g-ykfs |
|
| 31 |
| vulnerability |
VCID-yjn6-17qx-9ubc |
|
| 32 |
| vulnerability |
VCID-yrjg-2aw9-effx |
|
| 33 |
| vulnerability |
VCID-zudy-xe9p-3fgm |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.10.5 |
|
|
| aliases |
CVE-2019-13117, GHSA-4hm9-844j-jmxp
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5xuf-r7bj-33fa |
|
| 7 |
| url |
VCID-66gp-78uh-aqem |
| vulnerability_id |
VCID-66gp-78uh-aqem |
| summary |
Duplicate Advisory: Nokogiri updates packaged libxml2 to 2.13.6 to resolve CVE-2025-24928 and CVE-2024-56171
Nokogiri v1.18.3 upgrades its dependency libxml2 to
[v2.13.6](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.6).
libxml2 v2.13.6 addresses:
- CVE-2025-24928
- described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/847
- CVE-2024-56171
- described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/828 |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-5mwf-688x-mr7x
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-66gp-78uh-aqem |
|
| 8 |
| url |
VCID-67gm-m1up-gfaf |
| vulnerability_id |
VCID-67gm-m1up-gfaf |
| summary |
Nokogiri CSS selector tokenizer has regular expression backtracking
## Summary
Nokogiri's CSS selector tokenizer contains regular expressions whose construction may result in exponential regex backtracking on adversarial selectors. Three ReDoS vectors are addressed in this release:
1. String-literal tokenization on certain unterminated quoted-string input.
2. String-literal tokenization on a separate class of hex-escape-rich input.
3. Identifier tokenization on hex-escape-rich input.
The public CSS selector methods that funnel through the affected tokenizer are `Nokogiri::CSS.xpath_for`, `Node#css`, `Node#at_css`, `Searchable#search`, and `CSS::Parser#parse`.
## Mitigation
Upgrade to Nokogiri `>= 1.19.3`.
If users are unable to upgrade, two options are available:
- Avoid the use of attacker-controlled text in CSS selectors. Applications that only pass developer-authored selectors to Nokogiri are not directly exposed.
- Set global `Regexp.timeout` (Ruby 3.2+, JRuby 9.4+) to bound parse time.
## Severity
The Nokogiri maintainers have evaluated this as **High Severity** (CVSS 7.5, `AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`).
An attacker able to inject user-supplied text into a CSS selector parse method can cause exponential backtracking, resulting in a potential denial of service.
## Resources
- [CWE-1333: Inefficient Regular Expression Complexity](https://cwe.mitre.org/data/definitions/1333.html)
## Credit
Vector 1 was responsibly reported by @colby-swandale. Vectors 2 and 3 were discovered by @flavorjones during the response to the original report. |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-c4rq-3m3g-8wgx
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-67gm-m1up-gfaf |
|
| 9 |
| url |
VCID-6t8y-27ba-cfa2 |
| vulnerability_id |
VCID-6t8y-27ba-cfa2 |
| summary |
multiple issues |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/nokogiri@1.11.4 |
| purl |
pkg:gem/nokogiri@1.11.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-5838-r3hp-wke4 |
|
| 1 |
| vulnerability |
VCID-5g9a-2484-rucp |
|
| 2 |
| vulnerability |
VCID-66gp-78uh-aqem |
|
| 3 |
| vulnerability |
VCID-67gm-m1up-gfaf |
|
| 4 |
| vulnerability |
VCID-74wj-a72v-s3gk |
|
| 5 |
| vulnerability |
VCID-aef6-wkbr-1kfb |
|
| 6 |
| vulnerability |
VCID-bgcq-x9bd-83ap |
|
| 7 |
| vulnerability |
VCID-chdv-jk6d-uuga |
|
| 8 |
| vulnerability |
VCID-d13x-y75t-2ugx |
|
| 9 |
| vulnerability |
VCID-e2q6-558r-4kam |
|
| 10 |
| vulnerability |
VCID-gvjg-dk1p-2uek |
|
| 11 |
| vulnerability |
VCID-ktyd-dgdw-pber |
|
| 12 |
| vulnerability |
VCID-mgf4-zdnr-tba4 |
|
| 13 |
| vulnerability |
VCID-p6m6-7kgc-y3g8 |
|
| 14 |
| vulnerability |
VCID-pb6j-zdqw-g7cj |
|
| 15 |
| vulnerability |
VCID-pr2j-1118-hqaa |
|
| 16 |
| vulnerability |
VCID-q3td-7t4g-57ba |
|
| 17 |
| vulnerability |
VCID-qa31-1xtw-ybdg |
|
| 18 |
| vulnerability |
VCID-qkq6-n1ds-x7e5 |
|
| 19 |
| vulnerability |
VCID-tggj-xch8-jqcv |
|
| 20 |
| vulnerability |
VCID-u2yz-dthy-1fdr |
|
| 21 |
| vulnerability |
VCID-u6wn-nety-sbde |
|
| 22 |
| vulnerability |
VCID-u9gg-kzf2-9qap |
|
| 23 |
| vulnerability |
VCID-wnj6-hc4g-ykfs |
|
| 24 |
| vulnerability |
VCID-yrjg-2aw9-effx |
|
| 25 |
| vulnerability |
VCID-zudy-xe9p-3fgm |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.11.4 |
|
|
| aliases |
CVE-2021-3537, GHSA-286v-pcf5-25rc
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-6t8y-27ba-cfa2 |
|
| 10 |
| url |
VCID-74wj-a72v-s3gk |
| vulnerability_id |
VCID-74wj-a72v-s3gk |
| summary |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in nokogiri. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:gem/nokogiri@1.13.2 |
| purl |
pkg:gem/nokogiri@1.13.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-5838-r3hp-wke4 |
|
| 1 |
| vulnerability |
VCID-5g9a-2484-rucp |
|
| 2 |
| vulnerability |
VCID-66gp-78uh-aqem |
|
| 3 |
| vulnerability |
VCID-67gm-m1up-gfaf |
|
| 4 |
| vulnerability |
VCID-aef6-wkbr-1kfb |
|
| 5 |
| vulnerability |
VCID-chdv-jk6d-uuga |
|
| 6 |
| vulnerability |
VCID-d13x-y75t-2ugx |
|
| 7 |
| vulnerability |
VCID-e2q6-558r-4kam |
|
| 8 |
| vulnerability |
VCID-gvjg-dk1p-2uek |
|
| 9 |
| vulnerability |
VCID-ktyd-dgdw-pber |
|
| 10 |
| vulnerability |
VCID-mgf4-zdnr-tba4 |
|
| 11 |
| vulnerability |
VCID-p6m6-7kgc-y3g8 |
|
| 12 |
| vulnerability |
VCID-pb6j-zdqw-g7cj |
|
| 13 |
| vulnerability |
VCID-pr2j-1118-hqaa |
|
| 14 |
| vulnerability |
VCID-q3td-7t4g-57ba |
|
| 15 |
| vulnerability |
VCID-qa31-1xtw-ybdg |
|
| 16 |
| vulnerability |
VCID-qkq6-n1ds-x7e5 |
|
| 17 |
| vulnerability |
VCID-tggj-xch8-jqcv |
|
| 18 |
| vulnerability |
VCID-u2yz-dthy-1fdr |
|
| 19 |
| vulnerability |
VCID-u6wn-nety-sbde |
|
| 20 |
| vulnerability |
VCID-wnj6-hc4g-ykfs |
|
| 21 |
| vulnerability |
VCID-yrjg-2aw9-effx |
|
| 22 |
| vulnerability |
VCID-zudy-xe9p-3fgm |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.13.2 |
|
|
| aliases |
GHSA-fq42-c5rg-92c2, GMS-2022-163
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-74wj-a72v-s3gk |
|
| 11 |
| url |
VCID-9m3t-anwb-4fbx |
| vulnerability_id |
VCID-9m3t-anwb-4fbx |
| summary |
arbitrary code execution |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/nokogiri@1.7.1 |
| purl |
pkg:gem/nokogiri@1.7.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1sh8-bsk3-auct |
|
| 1 |
| vulnerability |
VCID-2r85-egs8-4be3 |
|
| 2 |
| vulnerability |
VCID-4sg9-pjmx-6kfy |
|
| 3 |
| vulnerability |
VCID-5838-r3hp-wke4 |
|
| 4 |
| vulnerability |
VCID-5g9a-2484-rucp |
|
| 5 |
| vulnerability |
VCID-5xuf-r7bj-33fa |
|
| 6 |
| vulnerability |
VCID-66gp-78uh-aqem |
|
| 7 |
| vulnerability |
VCID-67gm-m1up-gfaf |
|
| 8 |
| vulnerability |
VCID-6t8y-27ba-cfa2 |
|
| 9 |
| vulnerability |
VCID-74wj-a72v-s3gk |
|
| 10 |
| vulnerability |
VCID-aef6-wkbr-1kfb |
|
| 11 |
| vulnerability |
VCID-akrb-6bu8-nqfq |
|
| 12 |
| vulnerability |
VCID-b8q3-sd61-rqhf |
|
| 13 |
| vulnerability |
VCID-bgcq-x9bd-83ap |
|
| 14 |
| vulnerability |
VCID-chdv-jk6d-uuga |
|
| 15 |
| vulnerability |
VCID-d13x-y75t-2ugx |
|
| 16 |
| vulnerability |
VCID-e2q6-558r-4kam |
|
| 17 |
| vulnerability |
VCID-e8w6-ax3x-wqan |
|
| 18 |
| vulnerability |
VCID-ft4s-195a-8fcf |
|
| 19 |
| vulnerability |
VCID-gdgu-7d3a-uygr |
|
| 20 |
| vulnerability |
VCID-gvjg-dk1p-2uek |
|
| 21 |
| vulnerability |
VCID-gwrv-agck-yuex |
|
| 22 |
| vulnerability |
VCID-j98t-paam-97ec |
|
| 23 |
| vulnerability |
VCID-jvd7-7jes-4ffn |
|
| 24 |
| vulnerability |
VCID-jxz3-ug52-cuhn |
|
| 25 |
| vulnerability |
VCID-ktyd-dgdw-pber |
|
| 26 |
| vulnerability |
VCID-m91c-mfu9-bbbh |
|
| 27 |
| vulnerability |
VCID-mgf4-zdnr-tba4 |
|
| 28 |
| vulnerability |
VCID-nuzy-ruzb-dke6 |
|
| 29 |
| vulnerability |
VCID-p6m6-7kgc-y3g8 |
|
| 30 |
| vulnerability |
VCID-pb6j-zdqw-g7cj |
|
| 31 |
| vulnerability |
VCID-pr2j-1118-hqaa |
|
| 32 |
| vulnerability |
VCID-q3td-7t4g-57ba |
|
| 33 |
| vulnerability |
VCID-qa31-1xtw-ybdg |
|
| 34 |
| vulnerability |
VCID-qkq6-n1ds-x7e5 |
|
| 35 |
| vulnerability |
VCID-tggj-xch8-jqcv |
|
| 36 |
| vulnerability |
VCID-u2yz-dthy-1fdr |
|
| 37 |
| vulnerability |
VCID-u6wn-nety-sbde |
|
| 38 |
| vulnerability |
VCID-u9b2-qx2j-c7by |
|
| 39 |
| vulnerability |
VCID-u9gg-kzf2-9qap |
|
| 40 |
| vulnerability |
VCID-ueh5-fv4d-a7a8 |
|
| 41 |
| vulnerability |
VCID-uk9u-nn9a-4yes |
|
| 42 |
| vulnerability |
VCID-wnj6-hc4g-ykfs |
|
| 43 |
| vulnerability |
VCID-yjn6-17qx-9ubc |
|
| 44 |
| vulnerability |
VCID-yrjg-2aw9-effx |
|
| 45 |
| vulnerability |
VCID-zudy-xe9p-3fgm |
|
| 46 |
| vulnerability |
VCID-zx33-nyvt-vbe9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.7.1 |
|
|
| aliases |
CVE-2016-4658, GHSA-fr52-4hqw-p27f
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-9m3t-anwb-4fbx |
|
| 12 |
| url |
VCID-aef6-wkbr-1kfb |
| vulnerability_id |
VCID-aef6-wkbr-1kfb |
| summary |
Out-of-bounds Write in zlib affects Nokogiri
## Summary
Nokogiri v1.13.4 updates the vendored zlib from 1.2.11 to 1.2.12, which addresses [CVE-2018-25032](https://nvd.nist.gov/vuln/detail/CVE-2018-25032). That CVE is scored as CVSS 7.4 "High" on the NVD record as of 2022-04-05.
Please note that this advisory only applies to the CRuby implementation of Nokogiri `< 1.13.4`, and only if the packaged version of `zlib` is being used. Please see [this document](https://nokogiri.org/LICENSE-DEPENDENCIES.html#default-platform-release-ruby) for a complete description of which platform gems vendor `zlib`. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's `zlib` release announcements.
## Mitigation
Upgrade to Nokogiri `>= v1.13.4`.
## Impact
### [CVE-2018-25032](https://nvd.nist.gov/vuln/detail/CVE-2018-25032) in zlib
- **Severity**: High
- **Type**: [CWE-787](https://cwe.mitre.org/data/definitions/787.html) Out of bounds write
- **Description**: zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:gem/nokogiri@1.13.4 |
| purl |
pkg:gem/nokogiri@1.13.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-5838-r3hp-wke4 |
|
| 1 |
| vulnerability |
VCID-5g9a-2484-rucp |
|
| 2 |
| vulnerability |
VCID-66gp-78uh-aqem |
|
| 3 |
| vulnerability |
VCID-67gm-m1up-gfaf |
|
| 4 |
| vulnerability |
VCID-chdv-jk6d-uuga |
|
| 5 |
| vulnerability |
VCID-d13x-y75t-2ugx |
|
| 6 |
| vulnerability |
VCID-e2q6-558r-4kam |
|
| 7 |
| vulnerability |
VCID-gvjg-dk1p-2uek |
|
| 8 |
| vulnerability |
VCID-ktyd-dgdw-pber |
|
| 9 |
| vulnerability |
VCID-mgf4-zdnr-tba4 |
|
| 10 |
| vulnerability |
VCID-p6m6-7kgc-y3g8 |
|
| 11 |
| vulnerability |
VCID-pb6j-zdqw-g7cj |
|
| 12 |
| vulnerability |
VCID-pr2j-1118-hqaa |
|
| 13 |
| vulnerability |
VCID-q3td-7t4g-57ba |
|
| 14 |
| vulnerability |
VCID-qa31-1xtw-ybdg |
|
| 15 |
| vulnerability |
VCID-u6wn-nety-sbde |
|
| 16 |
| vulnerability |
VCID-wnj6-hc4g-ykfs |
|
| 17 |
| vulnerability |
VCID-yrjg-2aw9-effx |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.13.4 |
|
|
| aliases |
GHSA-v6gp-9mmm-c6p5, GMS-2022-787
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-aef6-wkbr-1kfb |
|
| 13 |
| url |
VCID-akrb-6bu8-nqfq |
| vulnerability_id |
VCID-akrb-6bu8-nqfq |
| summary |
NULL Pointer Dereference
A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case. Applications processing untrusted XSL format inputs with the use of the libxml2 library may be vulnerable to a denial of service attack due to a crash of the application. |
| references |
| 0 |
| reference_url |
https://access.redhat.com/errata/RHSA-2019:1543 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-03T21:07:49Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2019:1543 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://bugzilla.redhat.com/show_bug.cgi?id=1595985 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-03T21:07:49Z/ |
|
|
| url |
https://bugzilla.redhat.com/show_bug.cgi?id=1595985 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
| reference_url |
https://gitlab.gnome.org/GNOME/libxml2/issues/10 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-03T21:07:49Z/ |
|
|
| url |
https://gitlab.gnome.org/GNOME/libxml2/issues/10 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
| reference_url |
https://usn.ubuntu.com/3739-2/ |
| reference_id |
3739-2 |
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-03T21:07:49Z/ |
|
|
| url |
https://usn.ubuntu.com/3739-2/ |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/nokogiri@1.8.5 |
| purl |
pkg:gem/nokogiri@1.8.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1sh8-bsk3-auct |
|
| 1 |
| vulnerability |
VCID-2r85-egs8-4be3 |
|
| 2 |
| vulnerability |
VCID-4sg9-pjmx-6kfy |
|
| 3 |
| vulnerability |
VCID-5838-r3hp-wke4 |
|
| 4 |
| vulnerability |
VCID-5g9a-2484-rucp |
|
| 5 |
| vulnerability |
VCID-5xuf-r7bj-33fa |
|
| 6 |
| vulnerability |
VCID-66gp-78uh-aqem |
|
| 7 |
| vulnerability |
VCID-67gm-m1up-gfaf |
|
| 8 |
| vulnerability |
VCID-6t8y-27ba-cfa2 |
|
| 9 |
| vulnerability |
VCID-74wj-a72v-s3gk |
|
| 10 |
| vulnerability |
VCID-aef6-wkbr-1kfb |
|
| 11 |
| vulnerability |
VCID-bgcq-x9bd-83ap |
|
| 12 |
| vulnerability |
VCID-chdv-jk6d-uuga |
|
| 13 |
| vulnerability |
VCID-d13x-y75t-2ugx |
|
| 14 |
| vulnerability |
VCID-e2q6-558r-4kam |
|
| 15 |
| vulnerability |
VCID-e8w6-ax3x-wqan |
|
| 16 |
| vulnerability |
VCID-ft4s-195a-8fcf |
|
| 17 |
| vulnerability |
VCID-gvjg-dk1p-2uek |
|
| 18 |
| vulnerability |
VCID-jvd7-7jes-4ffn |
|
| 19 |
| vulnerability |
VCID-jxz3-ug52-cuhn |
|
| 20 |
| vulnerability |
VCID-ktyd-dgdw-pber |
|
| 21 |
| vulnerability |
VCID-mgf4-zdnr-tba4 |
|
| 22 |
| vulnerability |
VCID-nuzy-ruzb-dke6 |
|
| 23 |
| vulnerability |
VCID-p6m6-7kgc-y3g8 |
|
| 24 |
| vulnerability |
VCID-pb6j-zdqw-g7cj |
|
| 25 |
| vulnerability |
VCID-pr2j-1118-hqaa |
|
| 26 |
| vulnerability |
VCID-q3td-7t4g-57ba |
|
| 27 |
| vulnerability |
VCID-qa31-1xtw-ybdg |
|
| 28 |
| vulnerability |
VCID-qkq6-n1ds-x7e5 |
|
| 29 |
| vulnerability |
VCID-tggj-xch8-jqcv |
|
| 30 |
| vulnerability |
VCID-u2yz-dthy-1fdr |
|
| 31 |
| vulnerability |
VCID-u6wn-nety-sbde |
|
| 32 |
| vulnerability |
VCID-u9b2-qx2j-c7by |
|
| 33 |
| vulnerability |
VCID-u9gg-kzf2-9qap |
|
| 34 |
| vulnerability |
VCID-uk9u-nn9a-4yes |
|
| 35 |
| vulnerability |
VCID-wnj6-hc4g-ykfs |
|
| 36 |
| vulnerability |
VCID-yjn6-17qx-9ubc |
|
| 37 |
| vulnerability |
VCID-yrjg-2aw9-effx |
|
| 38 |
| vulnerability |
VCID-zudy-xe9p-3fgm |
|
| 39 |
| vulnerability |
VCID-zx33-nyvt-vbe9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.8.5 |
|
|
| aliases |
CVE-2018-14404, GHSA-6qvp-r6r3-9p7h
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-akrb-6bu8-nqfq |
|
| 14 |
| url |
VCID-b8q3-sd61-rqhf |
| vulnerability_id |
VCID-b8q3-sd61-rqhf |
| summary |
multiple issues |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
| 33 |
|
| 34 |
|
| 35 |
|
| 36 |
|
| 37 |
|
| 38 |
|
| 39 |
|
| 40 |
|
| 41 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/nokogiri@1.7.1 |
| purl |
pkg:gem/nokogiri@1.7.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1sh8-bsk3-auct |
|
| 1 |
| vulnerability |
VCID-2r85-egs8-4be3 |
|
| 2 |
| vulnerability |
VCID-4sg9-pjmx-6kfy |
|
| 3 |
| vulnerability |
VCID-5838-r3hp-wke4 |
|
| 4 |
| vulnerability |
VCID-5g9a-2484-rucp |
|
| 5 |
| vulnerability |
VCID-5xuf-r7bj-33fa |
|
| 6 |
| vulnerability |
VCID-66gp-78uh-aqem |
|
| 7 |
| vulnerability |
VCID-67gm-m1up-gfaf |
|
| 8 |
| vulnerability |
VCID-6t8y-27ba-cfa2 |
|
| 9 |
| vulnerability |
VCID-74wj-a72v-s3gk |
|
| 10 |
| vulnerability |
VCID-aef6-wkbr-1kfb |
|
| 11 |
| vulnerability |
VCID-akrb-6bu8-nqfq |
|
| 12 |
| vulnerability |
VCID-b8q3-sd61-rqhf |
|
| 13 |
| vulnerability |
VCID-bgcq-x9bd-83ap |
|
| 14 |
| vulnerability |
VCID-chdv-jk6d-uuga |
|
| 15 |
| vulnerability |
VCID-d13x-y75t-2ugx |
|
| 16 |
| vulnerability |
VCID-e2q6-558r-4kam |
|
| 17 |
| vulnerability |
VCID-e8w6-ax3x-wqan |
|
| 18 |
| vulnerability |
VCID-ft4s-195a-8fcf |
|
| 19 |
| vulnerability |
VCID-gdgu-7d3a-uygr |
|
| 20 |
| vulnerability |
VCID-gvjg-dk1p-2uek |
|
| 21 |
| vulnerability |
VCID-gwrv-agck-yuex |
|
| 22 |
| vulnerability |
VCID-j98t-paam-97ec |
|
| 23 |
| vulnerability |
VCID-jvd7-7jes-4ffn |
|
| 24 |
| vulnerability |
VCID-jxz3-ug52-cuhn |
|
| 25 |
| vulnerability |
VCID-ktyd-dgdw-pber |
|
| 26 |
| vulnerability |
VCID-m91c-mfu9-bbbh |
|
| 27 |
| vulnerability |
VCID-mgf4-zdnr-tba4 |
|
| 28 |
| vulnerability |
VCID-nuzy-ruzb-dke6 |
|
| 29 |
| vulnerability |
VCID-p6m6-7kgc-y3g8 |
|
| 30 |
| vulnerability |
VCID-pb6j-zdqw-g7cj |
|
| 31 |
| vulnerability |
VCID-pr2j-1118-hqaa |
|
| 32 |
| vulnerability |
VCID-q3td-7t4g-57ba |
|
| 33 |
| vulnerability |
VCID-qa31-1xtw-ybdg |
|
| 34 |
| vulnerability |
VCID-qkq6-n1ds-x7e5 |
|
| 35 |
| vulnerability |
VCID-tggj-xch8-jqcv |
|
| 36 |
| vulnerability |
VCID-u2yz-dthy-1fdr |
|
| 37 |
| vulnerability |
VCID-u6wn-nety-sbde |
|
| 38 |
| vulnerability |
VCID-u9b2-qx2j-c7by |
|
| 39 |
| vulnerability |
VCID-u9gg-kzf2-9qap |
|
| 40 |
| vulnerability |
VCID-ueh5-fv4d-a7a8 |
|
| 41 |
| vulnerability |
VCID-uk9u-nn9a-4yes |
|
| 42 |
| vulnerability |
VCID-wnj6-hc4g-ykfs |
|
| 43 |
| vulnerability |
VCID-yjn6-17qx-9ubc |
|
| 44 |
| vulnerability |
VCID-yrjg-2aw9-effx |
|
| 45 |
| vulnerability |
VCID-zudy-xe9p-3fgm |
|
| 46 |
| vulnerability |
VCID-zx33-nyvt-vbe9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.7.1 |
|
| 1 |
| url |
pkg:gem/nokogiri@1.7.2 |
| purl |
pkg:gem/nokogiri@1.7.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1sh8-bsk3-auct |
|
| 1 |
| vulnerability |
VCID-2r85-egs8-4be3 |
|
| 2 |
| vulnerability |
VCID-4sg9-pjmx-6kfy |
|
| 3 |
| vulnerability |
VCID-5838-r3hp-wke4 |
|
| 4 |
| vulnerability |
VCID-5g9a-2484-rucp |
|
| 5 |
| vulnerability |
VCID-5xuf-r7bj-33fa |
|
| 6 |
| vulnerability |
VCID-66gp-78uh-aqem |
|
| 7 |
| vulnerability |
VCID-67gm-m1up-gfaf |
|
| 8 |
| vulnerability |
VCID-6t8y-27ba-cfa2 |
|
| 9 |
| vulnerability |
VCID-74wj-a72v-s3gk |
|
| 10 |
| vulnerability |
VCID-aef6-wkbr-1kfb |
|
| 11 |
| vulnerability |
VCID-akrb-6bu8-nqfq |
|
| 12 |
| vulnerability |
VCID-bgcq-x9bd-83ap |
|
| 13 |
| vulnerability |
VCID-chdv-jk6d-uuga |
|
| 14 |
| vulnerability |
VCID-d13x-y75t-2ugx |
|
| 15 |
| vulnerability |
VCID-e2q6-558r-4kam |
|
| 16 |
| vulnerability |
VCID-e8w6-ax3x-wqan |
|
| 17 |
| vulnerability |
VCID-ft4s-195a-8fcf |
|
| 18 |
| vulnerability |
VCID-gdgu-7d3a-uygr |
|
| 19 |
| vulnerability |
VCID-gvjg-dk1p-2uek |
|
| 20 |
| vulnerability |
VCID-gwrv-agck-yuex |
|
| 21 |
| vulnerability |
VCID-j98t-paam-97ec |
|
| 22 |
| vulnerability |
VCID-jvd7-7jes-4ffn |
|
| 23 |
| vulnerability |
VCID-jxz3-ug52-cuhn |
|
| 24 |
| vulnerability |
VCID-ktyd-dgdw-pber |
|
| 25 |
| vulnerability |
VCID-m91c-mfu9-bbbh |
|
| 26 |
| vulnerability |
VCID-mgf4-zdnr-tba4 |
|
| 27 |
| vulnerability |
VCID-nuzy-ruzb-dke6 |
|
| 28 |
| vulnerability |
VCID-p6m6-7kgc-y3g8 |
|
| 29 |
| vulnerability |
VCID-pb6j-zdqw-g7cj |
|
| 30 |
| vulnerability |
VCID-pr2j-1118-hqaa |
|
| 31 |
| vulnerability |
VCID-q3td-7t4g-57ba |
|
| 32 |
| vulnerability |
VCID-qa31-1xtw-ybdg |
|
| 33 |
| vulnerability |
VCID-qkq6-n1ds-x7e5 |
|
| 34 |
| vulnerability |
VCID-tggj-xch8-jqcv |
|
| 35 |
| vulnerability |
VCID-u2yz-dthy-1fdr |
|
| 36 |
| vulnerability |
VCID-u6wn-nety-sbde |
|
| 37 |
| vulnerability |
VCID-u9b2-qx2j-c7by |
|
| 38 |
| vulnerability |
VCID-u9gg-kzf2-9qap |
|
| 39 |
| vulnerability |
VCID-ueh5-fv4d-a7a8 |
|
| 40 |
| vulnerability |
VCID-uk9u-nn9a-4yes |
|
| 41 |
| vulnerability |
VCID-wnj6-hc4g-ykfs |
|
| 42 |
| vulnerability |
VCID-yjn6-17qx-9ubc |
|
| 43 |
| vulnerability |
VCID-yrjg-2aw9-effx |
|
| 44 |
| vulnerability |
VCID-zudy-xe9p-3fgm |
|
| 45 |
| vulnerability |
VCID-zx33-nyvt-vbe9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.7.2 |
|
|
| aliases |
CVE-2017-5029, GHSA-pf6m-fxpq-fg8v
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-b8q3-sd61-rqhf |
|
| 15 |
| url |
VCID-ba5w-ed8b-duar |
| vulnerability_id |
VCID-ba5w-ed8b-duar |
| summary |
Unsafe parsing of unclosed comments
Parsing an unclosed comment can result in `Conditional jump or move depends on uninitialised value(s)` and unsafe memory access. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:gem/nokogiri@1.6.6.4 |
| purl |
pkg:gem/nokogiri@1.6.6.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1sh8-bsk3-auct |
|
| 1 |
| vulnerability |
VCID-2r85-egs8-4be3 |
|
| 2 |
| vulnerability |
VCID-4sg9-pjmx-6kfy |
|
| 3 |
| vulnerability |
VCID-5838-r3hp-wke4 |
|
| 4 |
| vulnerability |
VCID-5g9a-2484-rucp |
|
| 5 |
| vulnerability |
VCID-5xuf-r7bj-33fa |
|
| 6 |
| vulnerability |
VCID-66gp-78uh-aqem |
|
| 7 |
| vulnerability |
VCID-67gm-m1up-gfaf |
|
| 8 |
| vulnerability |
VCID-6t8y-27ba-cfa2 |
|
| 9 |
| vulnerability |
VCID-74wj-a72v-s3gk |
|
| 10 |
| vulnerability |
VCID-9m3t-anwb-4fbx |
|
| 11 |
| vulnerability |
VCID-aef6-wkbr-1kfb |
|
| 12 |
| vulnerability |
VCID-akrb-6bu8-nqfq |
|
| 13 |
| vulnerability |
VCID-b8q3-sd61-rqhf |
|
| 14 |
| vulnerability |
VCID-bgcq-x9bd-83ap |
|
| 15 |
| vulnerability |
VCID-by7n-zrpn-jubw |
|
| 16 |
| vulnerability |
VCID-chdv-jk6d-uuga |
|
| 17 |
| vulnerability |
VCID-d13x-y75t-2ugx |
|
| 18 |
| vulnerability |
VCID-e2q6-558r-4kam |
|
| 19 |
| vulnerability |
VCID-e8w6-ax3x-wqan |
|
| 20 |
| vulnerability |
VCID-efx2-bpu9-z7a4 |
|
| 21 |
| vulnerability |
VCID-egft-crba-6ubx |
|
| 22 |
| vulnerability |
VCID-fn1n-adz5-5fcy |
|
| 23 |
| vulnerability |
VCID-ft4s-195a-8fcf |
|
| 24 |
| vulnerability |
VCID-gdgu-7d3a-uygr |
|
| 25 |
| vulnerability |
VCID-gvjg-dk1p-2uek |
|
| 26 |
| vulnerability |
VCID-gwrv-agck-yuex |
|
| 27 |
| vulnerability |
VCID-j98t-paam-97ec |
|
| 28 |
| vulnerability |
VCID-jvd7-7jes-4ffn |
|
| 29 |
| vulnerability |
VCID-jxz3-ug52-cuhn |
|
| 30 |
| vulnerability |
VCID-ktyd-dgdw-pber |
|
| 31 |
| vulnerability |
VCID-m91c-mfu9-bbbh |
|
| 32 |
| vulnerability |
VCID-mgf4-zdnr-tba4 |
|
| 33 |
| vulnerability |
VCID-nuzy-ruzb-dke6 |
|
| 34 |
| vulnerability |
VCID-p6m6-7kgc-y3g8 |
|
| 35 |
| vulnerability |
VCID-pb6j-zdqw-g7cj |
|
| 36 |
| vulnerability |
VCID-pr2j-1118-hqaa |
|
| 37 |
| vulnerability |
VCID-q3td-7t4g-57ba |
|
| 38 |
| vulnerability |
VCID-qa31-1xtw-ybdg |
|
| 39 |
| vulnerability |
VCID-qkq6-n1ds-x7e5 |
|
| 40 |
| vulnerability |
VCID-tggj-xch8-jqcv |
|
| 41 |
| vulnerability |
VCID-u2yz-dthy-1fdr |
|
| 42 |
| vulnerability |
VCID-u6wn-nety-sbde |
|
| 43 |
| vulnerability |
VCID-u9b2-qx2j-c7by |
|
| 44 |
| vulnerability |
VCID-u9gg-kzf2-9qap |
|
| 45 |
| vulnerability |
VCID-ueh5-fv4d-a7a8 |
|
| 46 |
| vulnerability |
VCID-uk9u-nn9a-4yes |
|
| 47 |
| vulnerability |
VCID-wnj6-hc4g-ykfs |
|
| 48 |
| vulnerability |
VCID-yjn6-17qx-9ubc |
|
| 49 |
| vulnerability |
VCID-yrjg-2aw9-effx |
|
| 50 |
| vulnerability |
VCID-zudy-xe9p-3fgm |
|
| 51 |
| vulnerability |
VCID-zx33-nyvt-vbe9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.6.6.4 |
|
| 1 |
| url |
pkg:gem/nokogiri@1.6.7.rc4 |
| purl |
pkg:gem/nokogiri@1.6.7.rc4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1sh8-bsk3-auct |
|
| 1 |
| vulnerability |
VCID-2r85-egs8-4be3 |
|
| 2 |
| vulnerability |
VCID-4sg9-pjmx-6kfy |
|
| 3 |
| vulnerability |
VCID-5838-r3hp-wke4 |
|
| 4 |
| vulnerability |
VCID-5g9a-2484-rucp |
|
| 5 |
| vulnerability |
VCID-5xuf-r7bj-33fa |
|
| 6 |
| vulnerability |
VCID-66gp-78uh-aqem |
|
| 7 |
| vulnerability |
VCID-67gm-m1up-gfaf |
|
| 8 |
| vulnerability |
VCID-6t8y-27ba-cfa2 |
|
| 9 |
| vulnerability |
VCID-74wj-a72v-s3gk |
|
| 10 |
| vulnerability |
VCID-9m3t-anwb-4fbx |
|
| 11 |
| vulnerability |
VCID-aef6-wkbr-1kfb |
|
| 12 |
| vulnerability |
VCID-akrb-6bu8-nqfq |
|
| 13 |
| vulnerability |
VCID-b8q3-sd61-rqhf |
|
| 14 |
| vulnerability |
VCID-bgcq-x9bd-83ap |
|
| 15 |
| vulnerability |
VCID-by7n-zrpn-jubw |
|
| 16 |
| vulnerability |
VCID-chdv-jk6d-uuga |
|
| 17 |
| vulnerability |
VCID-d13x-y75t-2ugx |
|
| 18 |
| vulnerability |
VCID-e2q6-558r-4kam |
|
| 19 |
| vulnerability |
VCID-e8w6-ax3x-wqan |
|
| 20 |
| vulnerability |
VCID-efx2-bpu9-z7a4 |
|
| 21 |
| vulnerability |
VCID-egft-crba-6ubx |
|
| 22 |
| vulnerability |
VCID-fn1n-adz5-5fcy |
|
| 23 |
| vulnerability |
VCID-ft4s-195a-8fcf |
|
| 24 |
| vulnerability |
VCID-gdgu-7d3a-uygr |
|
| 25 |
| vulnerability |
VCID-gvjg-dk1p-2uek |
|
| 26 |
| vulnerability |
VCID-gwrv-agck-yuex |
|
| 27 |
| vulnerability |
VCID-j98t-paam-97ec |
|
| 28 |
| vulnerability |
VCID-jvd7-7jes-4ffn |
|
| 29 |
| vulnerability |
VCID-jxz3-ug52-cuhn |
|
| 30 |
| vulnerability |
VCID-ktyd-dgdw-pber |
|
| 31 |
| vulnerability |
VCID-m91c-mfu9-bbbh |
|
| 32 |
| vulnerability |
VCID-mgf4-zdnr-tba4 |
|
| 33 |
| vulnerability |
VCID-nuzy-ruzb-dke6 |
|
| 34 |
| vulnerability |
VCID-p6m6-7kgc-y3g8 |
|
| 35 |
| vulnerability |
VCID-pb6j-zdqw-g7cj |
|
| 36 |
| vulnerability |
VCID-pr2j-1118-hqaa |
|
| 37 |
| vulnerability |
VCID-q3td-7t4g-57ba |
|
| 38 |
| vulnerability |
VCID-qa31-1xtw-ybdg |
|
| 39 |
| vulnerability |
VCID-qkq6-n1ds-x7e5 |
|
| 40 |
| vulnerability |
VCID-tggj-xch8-jqcv |
|
| 41 |
| vulnerability |
VCID-u2yz-dthy-1fdr |
|
| 42 |
| vulnerability |
VCID-u6wn-nety-sbde |
|
| 43 |
| vulnerability |
VCID-u9b2-qx2j-c7by |
|
| 44 |
| vulnerability |
VCID-u9gg-kzf2-9qap |
|
| 45 |
| vulnerability |
VCID-ueh5-fv4d-a7a8 |
|
| 46 |
| vulnerability |
VCID-uk9u-nn9a-4yes |
|
| 47 |
| vulnerability |
VCID-wnj6-hc4g-ykfs |
|
| 48 |
| vulnerability |
VCID-yjn6-17qx-9ubc |
|
| 49 |
| vulnerability |
VCID-yrjg-2aw9-effx |
|
| 50 |
| vulnerability |
VCID-zudy-xe9p-3fgm |
|
| 51 |
| vulnerability |
VCID-zx33-nyvt-vbe9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.6.7.rc4 |
|
|
| aliases |
GMS-2015-43
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ba5w-ed8b-duar |
|
| 16 |
| url |
VCID-bgcq-x9bd-83ap |
| vulnerability_id |
VCID-bgcq-x9bd-83ap |
| summary |
arbitrary code execution |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/nokogiri@1.13.2 |
| purl |
pkg:gem/nokogiri@1.13.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-5838-r3hp-wke4 |
|
| 1 |
| vulnerability |
VCID-5g9a-2484-rucp |
|
| 2 |
| vulnerability |
VCID-66gp-78uh-aqem |
|
| 3 |
| vulnerability |
VCID-67gm-m1up-gfaf |
|
| 4 |
| vulnerability |
VCID-aef6-wkbr-1kfb |
|
| 5 |
| vulnerability |
VCID-chdv-jk6d-uuga |
|
| 6 |
| vulnerability |
VCID-d13x-y75t-2ugx |
|
| 7 |
| vulnerability |
VCID-e2q6-558r-4kam |
|
| 8 |
| vulnerability |
VCID-gvjg-dk1p-2uek |
|
| 9 |
| vulnerability |
VCID-ktyd-dgdw-pber |
|
| 10 |
| vulnerability |
VCID-mgf4-zdnr-tba4 |
|
| 11 |
| vulnerability |
VCID-p6m6-7kgc-y3g8 |
|
| 12 |
| vulnerability |
VCID-pb6j-zdqw-g7cj |
|
| 13 |
| vulnerability |
VCID-pr2j-1118-hqaa |
|
| 14 |
| vulnerability |
VCID-q3td-7t4g-57ba |
|
| 15 |
| vulnerability |
VCID-qa31-1xtw-ybdg |
|
| 16 |
| vulnerability |
VCID-qkq6-n1ds-x7e5 |
|
| 17 |
| vulnerability |
VCID-tggj-xch8-jqcv |
|
| 18 |
| vulnerability |
VCID-u2yz-dthy-1fdr |
|
| 19 |
| vulnerability |
VCID-u6wn-nety-sbde |
|
| 20 |
| vulnerability |
VCID-wnj6-hc4g-ykfs |
|
| 21 |
| vulnerability |
VCID-yrjg-2aw9-effx |
|
| 22 |
| vulnerability |
VCID-zudy-xe9p-3fgm |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.13.2 |
|
|
| aliases |
CVE-2022-23308
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-bgcq-x9bd-83ap |
|
| 17 |
| url |
VCID-by7n-zrpn-jubw |
| vulnerability_id |
VCID-by7n-zrpn-jubw |
| summary |
Vulnerabilities in libxml2
The vendored version of libxml2 is affected by multiple vulnerabilities. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:gem/nokogiri@1.6.7.1 |
| purl |
pkg:gem/nokogiri@1.6.7.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1sh8-bsk3-auct |
|
| 1 |
| vulnerability |
VCID-2r85-egs8-4be3 |
|
| 2 |
| vulnerability |
VCID-4sg9-pjmx-6kfy |
|
| 3 |
| vulnerability |
VCID-5838-r3hp-wke4 |
|
| 4 |
| vulnerability |
VCID-5g9a-2484-rucp |
|
| 5 |
| vulnerability |
VCID-5xuf-r7bj-33fa |
|
| 6 |
| vulnerability |
VCID-66gp-78uh-aqem |
|
| 7 |
| vulnerability |
VCID-67gm-m1up-gfaf |
|
| 8 |
| vulnerability |
VCID-6t8y-27ba-cfa2 |
|
| 9 |
| vulnerability |
VCID-74wj-a72v-s3gk |
|
| 10 |
| vulnerability |
VCID-9m3t-anwb-4fbx |
|
| 11 |
| vulnerability |
VCID-aef6-wkbr-1kfb |
|
| 12 |
| vulnerability |
VCID-akrb-6bu8-nqfq |
|
| 13 |
| vulnerability |
VCID-b8q3-sd61-rqhf |
|
| 14 |
| vulnerability |
VCID-bgcq-x9bd-83ap |
|
| 15 |
| vulnerability |
VCID-chdv-jk6d-uuga |
|
| 16 |
| vulnerability |
VCID-d13x-y75t-2ugx |
|
| 17 |
| vulnerability |
VCID-e2q6-558r-4kam |
|
| 18 |
| vulnerability |
VCID-e8w6-ax3x-wqan |
|
| 19 |
| vulnerability |
VCID-egft-crba-6ubx |
|
| 20 |
| vulnerability |
VCID-fn1n-adz5-5fcy |
|
| 21 |
| vulnerability |
VCID-ft4s-195a-8fcf |
|
| 22 |
| vulnerability |
VCID-gdgu-7d3a-uygr |
|
| 23 |
| vulnerability |
VCID-gvjg-dk1p-2uek |
|
| 24 |
| vulnerability |
VCID-gwrv-agck-yuex |
|
| 25 |
| vulnerability |
VCID-j98t-paam-97ec |
|
| 26 |
| vulnerability |
VCID-jvd7-7jes-4ffn |
|
| 27 |
| vulnerability |
VCID-jxz3-ug52-cuhn |
|
| 28 |
| vulnerability |
VCID-ktyd-dgdw-pber |
|
| 29 |
| vulnerability |
VCID-m91c-mfu9-bbbh |
|
| 30 |
| vulnerability |
VCID-mgf4-zdnr-tba4 |
|
| 31 |
| vulnerability |
VCID-nuzy-ruzb-dke6 |
|
| 32 |
| vulnerability |
VCID-p6m6-7kgc-y3g8 |
|
| 33 |
| vulnerability |
VCID-pb6j-zdqw-g7cj |
|
| 34 |
| vulnerability |
VCID-pr2j-1118-hqaa |
|
| 35 |
| vulnerability |
VCID-q3td-7t4g-57ba |
|
| 36 |
| vulnerability |
VCID-qa31-1xtw-ybdg |
|
| 37 |
| vulnerability |
VCID-qkq6-n1ds-x7e5 |
|
| 38 |
| vulnerability |
VCID-tggj-xch8-jqcv |
|
| 39 |
| vulnerability |
VCID-u2yz-dthy-1fdr |
|
| 40 |
| vulnerability |
VCID-u6wn-nety-sbde |
|
| 41 |
| vulnerability |
VCID-u9b2-qx2j-c7by |
|
| 42 |
| vulnerability |
VCID-u9gg-kzf2-9qap |
|
| 43 |
| vulnerability |
VCID-ueh5-fv4d-a7a8 |
|
| 44 |
| vulnerability |
VCID-uk9u-nn9a-4yes |
|
| 45 |
| vulnerability |
VCID-wnj6-hc4g-ykfs |
|
| 46 |
| vulnerability |
VCID-yjn6-17qx-9ubc |
|
| 47 |
| vulnerability |
VCID-yrjg-2aw9-effx |
|
| 48 |
| vulnerability |
VCID-zudy-xe9p-3fgm |
|
| 49 |
| vulnerability |
VCID-zx33-nyvt-vbe9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.6.7.1 |
|
|
| aliases |
GMS-2015-52
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-by7n-zrpn-jubw |
|
| 18 |
| url |
VCID-cgmw-k7dg-gbdw |
| vulnerability_id |
VCID-cgmw-k7dg-gbdw |
| summary |
Vulnerabilities in libxml2 and libxslt
Several vulnerabilities were discovered in the libxml2 and libxslt libraries that this package gem depends on. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
| 33 |
|
| 34 |
|
| 35 |
|
| 36 |
|
| 37 |
|
| 38 |
|
| 39 |
|
| 40 |
|
| 41 |
|
| 42 |
|
| 43 |
|
| 44 |
|
| 45 |
|
| 46 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/nokogiri@1.6.6.4 |
| purl |
pkg:gem/nokogiri@1.6.6.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1sh8-bsk3-auct |
|
| 1 |
| vulnerability |
VCID-2r85-egs8-4be3 |
|
| 2 |
| vulnerability |
VCID-4sg9-pjmx-6kfy |
|
| 3 |
| vulnerability |
VCID-5838-r3hp-wke4 |
|
| 4 |
| vulnerability |
VCID-5g9a-2484-rucp |
|
| 5 |
| vulnerability |
VCID-5xuf-r7bj-33fa |
|
| 6 |
| vulnerability |
VCID-66gp-78uh-aqem |
|
| 7 |
| vulnerability |
VCID-67gm-m1up-gfaf |
|
| 8 |
| vulnerability |
VCID-6t8y-27ba-cfa2 |
|
| 9 |
| vulnerability |
VCID-74wj-a72v-s3gk |
|
| 10 |
| vulnerability |
VCID-9m3t-anwb-4fbx |
|
| 11 |
| vulnerability |
VCID-aef6-wkbr-1kfb |
|
| 12 |
| vulnerability |
VCID-akrb-6bu8-nqfq |
|
| 13 |
| vulnerability |
VCID-b8q3-sd61-rqhf |
|
| 14 |
| vulnerability |
VCID-bgcq-x9bd-83ap |
|
| 15 |
| vulnerability |
VCID-by7n-zrpn-jubw |
|
| 16 |
| vulnerability |
VCID-chdv-jk6d-uuga |
|
| 17 |
| vulnerability |
VCID-d13x-y75t-2ugx |
|
| 18 |
| vulnerability |
VCID-e2q6-558r-4kam |
|
| 19 |
| vulnerability |
VCID-e8w6-ax3x-wqan |
|
| 20 |
| vulnerability |
VCID-efx2-bpu9-z7a4 |
|
| 21 |
| vulnerability |
VCID-egft-crba-6ubx |
|
| 22 |
| vulnerability |
VCID-fn1n-adz5-5fcy |
|
| 23 |
| vulnerability |
VCID-ft4s-195a-8fcf |
|
| 24 |
| vulnerability |
VCID-gdgu-7d3a-uygr |
|
| 25 |
| vulnerability |
VCID-gvjg-dk1p-2uek |
|
| 26 |
| vulnerability |
VCID-gwrv-agck-yuex |
|
| 27 |
| vulnerability |
VCID-j98t-paam-97ec |
|
| 28 |
| vulnerability |
VCID-jvd7-7jes-4ffn |
|
| 29 |
| vulnerability |
VCID-jxz3-ug52-cuhn |
|
| 30 |
| vulnerability |
VCID-ktyd-dgdw-pber |
|
| 31 |
| vulnerability |
VCID-m91c-mfu9-bbbh |
|
| 32 |
| vulnerability |
VCID-mgf4-zdnr-tba4 |
|
| 33 |
| vulnerability |
VCID-nuzy-ruzb-dke6 |
|
| 34 |
| vulnerability |
VCID-p6m6-7kgc-y3g8 |
|
| 35 |
| vulnerability |
VCID-pb6j-zdqw-g7cj |
|
| 36 |
| vulnerability |
VCID-pr2j-1118-hqaa |
|
| 37 |
| vulnerability |
VCID-q3td-7t4g-57ba |
|
| 38 |
| vulnerability |
VCID-qa31-1xtw-ybdg |
|
| 39 |
| vulnerability |
VCID-qkq6-n1ds-x7e5 |
|
| 40 |
| vulnerability |
VCID-tggj-xch8-jqcv |
|
| 41 |
| vulnerability |
VCID-u2yz-dthy-1fdr |
|
| 42 |
| vulnerability |
VCID-u6wn-nety-sbde |
|
| 43 |
| vulnerability |
VCID-u9b2-qx2j-c7by |
|
| 44 |
| vulnerability |
VCID-u9gg-kzf2-9qap |
|
| 45 |
| vulnerability |
VCID-ueh5-fv4d-a7a8 |
|
| 46 |
| vulnerability |
VCID-uk9u-nn9a-4yes |
|
| 47 |
| vulnerability |
VCID-wnj6-hc4g-ykfs |
|
| 48 |
| vulnerability |
VCID-yjn6-17qx-9ubc |
|
| 49 |
| vulnerability |
VCID-yrjg-2aw9-effx |
|
| 50 |
| vulnerability |
VCID-zudy-xe9p-3fgm |
|
| 51 |
| vulnerability |
VCID-zx33-nyvt-vbe9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.6.6.4 |
|
| 1 |
| url |
pkg:gem/nokogiri@1.6.7.rc4 |
| purl |
pkg:gem/nokogiri@1.6.7.rc4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1sh8-bsk3-auct |
|
| 1 |
| vulnerability |
VCID-2r85-egs8-4be3 |
|
| 2 |
| vulnerability |
VCID-4sg9-pjmx-6kfy |
|
| 3 |
| vulnerability |
VCID-5838-r3hp-wke4 |
|
| 4 |
| vulnerability |
VCID-5g9a-2484-rucp |
|
| 5 |
| vulnerability |
VCID-5xuf-r7bj-33fa |
|
| 6 |
| vulnerability |
VCID-66gp-78uh-aqem |
|
| 7 |
| vulnerability |
VCID-67gm-m1up-gfaf |
|
| 8 |
| vulnerability |
VCID-6t8y-27ba-cfa2 |
|
| 9 |
| vulnerability |
VCID-74wj-a72v-s3gk |
|
| 10 |
| vulnerability |
VCID-9m3t-anwb-4fbx |
|
| 11 |
| vulnerability |
VCID-aef6-wkbr-1kfb |
|
| 12 |
| vulnerability |
VCID-akrb-6bu8-nqfq |
|
| 13 |
| vulnerability |
VCID-b8q3-sd61-rqhf |
|
| 14 |
| vulnerability |
VCID-bgcq-x9bd-83ap |
|
| 15 |
| vulnerability |
VCID-by7n-zrpn-jubw |
|
| 16 |
| vulnerability |
VCID-chdv-jk6d-uuga |
|
| 17 |
| vulnerability |
VCID-d13x-y75t-2ugx |
|
| 18 |
| vulnerability |
VCID-e2q6-558r-4kam |
|
| 19 |
| vulnerability |
VCID-e8w6-ax3x-wqan |
|
| 20 |
| vulnerability |
VCID-efx2-bpu9-z7a4 |
|
| 21 |
| vulnerability |
VCID-egft-crba-6ubx |
|
| 22 |
| vulnerability |
VCID-fn1n-adz5-5fcy |
|
| 23 |
| vulnerability |
VCID-ft4s-195a-8fcf |
|
| 24 |
| vulnerability |
VCID-gdgu-7d3a-uygr |
|
| 25 |
| vulnerability |
VCID-gvjg-dk1p-2uek |
|
| 26 |
| vulnerability |
VCID-gwrv-agck-yuex |
|
| 27 |
| vulnerability |
VCID-j98t-paam-97ec |
|
| 28 |
| vulnerability |
VCID-jvd7-7jes-4ffn |
|
| 29 |
| vulnerability |
VCID-jxz3-ug52-cuhn |
|
| 30 |
| vulnerability |
VCID-ktyd-dgdw-pber |
|
| 31 |
| vulnerability |
VCID-m91c-mfu9-bbbh |
|
| 32 |
| vulnerability |
VCID-mgf4-zdnr-tba4 |
|
| 33 |
| vulnerability |
VCID-nuzy-ruzb-dke6 |
|
| 34 |
| vulnerability |
VCID-p6m6-7kgc-y3g8 |
|
| 35 |
| vulnerability |
VCID-pb6j-zdqw-g7cj |
|
| 36 |
| vulnerability |
VCID-pr2j-1118-hqaa |
|
| 37 |
| vulnerability |
VCID-q3td-7t4g-57ba |
|
| 38 |
| vulnerability |
VCID-qa31-1xtw-ybdg |
|
| 39 |
| vulnerability |
VCID-qkq6-n1ds-x7e5 |
|
| 40 |
| vulnerability |
VCID-tggj-xch8-jqcv |
|
| 41 |
| vulnerability |
VCID-u2yz-dthy-1fdr |
|
| 42 |
| vulnerability |
VCID-u6wn-nety-sbde |
|
| 43 |
| vulnerability |
VCID-u9b2-qx2j-c7by |
|
| 44 |
| vulnerability |
VCID-u9gg-kzf2-9qap |
|
| 45 |
| vulnerability |
VCID-ueh5-fv4d-a7a8 |
|
| 46 |
| vulnerability |
VCID-uk9u-nn9a-4yes |
|
| 47 |
| vulnerability |
VCID-wnj6-hc4g-ykfs |
|
| 48 |
| vulnerability |
VCID-yjn6-17qx-9ubc |
|
| 49 |
| vulnerability |
VCID-yrjg-2aw9-effx |
|
| 50 |
| vulnerability |
VCID-zudy-xe9p-3fgm |
|
| 51 |
| vulnerability |
VCID-zx33-nyvt-vbe9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.6.7.rc4 |
|
|
| aliases |
CVE-2015-1819, GHSA-q7wx-62r7-j2x7
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-cgmw-k7dg-gbdw |
|
| 19 |
| url |
VCID-chdv-jk6d-uuga |
| vulnerability_id |
VCID-chdv-jk6d-uuga |
| summary |
Nokogiri updates packaged libxml2 to 2.13.6 to resolve CVE-2025-24928 and CVE-2024-56171
## Summary
Nokogiri v1.18.3 upgrades its dependency libxml2 to
[v2.13.6](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.6).
libxml2 v2.13.6 addresses:
- CVE-2025-24928
- described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/847
- CVE-2024-56171
- described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/828
## Impact
### CVE-2025-24928
Stack-buffer overflow is possible when reporting DTD validation
errors if the input contains a long (~3kb) QName prefix.
### CVE-2024-56171
Use-after-free is possible during validation against untrusted
XML Schemas (.xsd) and, potentially, validation of untrusted documents
against trusted Schemas if they make use of `xsd:keyref` in combination
with recursively defined types that have additional identity constraints. |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-vvfq-8hwr-qm4m
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-chdv-jk6d-uuga |
|
| 20 |
| url |
VCID-d13x-y75t-2ugx |
| vulnerability_id |
VCID-d13x-y75t-2ugx |
| summary |
Nokogiri does not check the return value from xmlC14NExecute
Nokogiri's CRuby extension fails to check the return value from `xmlC14NExecute` in the method `Nokogiri::XML::Document#canonicalize` and `Nokogiri::XML::Node#canonicalize`. When canonicalization fails, an empty string is returned instead of raising an exception. This incorrect return value may allow downstream libraries to accept invalid or incomplete canonicalized XML, which has been demonstrated to enable signature validation bypass in SAML libraries.
JRuby is not affected, as the Java implementation correctly raises `RuntimeError` on canonicalization failure. |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-wx95-c6cv-8532
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-d13x-y75t-2ugx |
|
| 21 |
| url |
VCID-e2q6-558r-4kam |
| vulnerability_id |
VCID-e2q6-558r-4kam |
| summary |
Nokogiri updates packaged libxml2 to v2.12.7 to resolve CVE-2024-34459
Nokogiri v1.16.5 upgrades its dependency libxml2 to
[2.12.7](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7) from 2.12.6.
libxml2 v2.12.7 addresses CVE-2024-34459:
- described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/720
- patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/2876ac53 |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-r3w4-36x6-7r99
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-e2q6-558r-4kam |
|
| 22 |
| url |
VCID-e8w6-ax3x-wqan |
| vulnerability_id |
VCID-e8w6-ax3x-wqan |
| summary |
multiple issues |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
| 33 |
|
| 34 |
|
| 35 |
|
| 36 |
|
| 37 |
|
| 38 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/nokogiri@1.11.4 |
| purl |
pkg:gem/nokogiri@1.11.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-5838-r3hp-wke4 |
|
| 1 |
| vulnerability |
VCID-5g9a-2484-rucp |
|
| 2 |
| vulnerability |
VCID-66gp-78uh-aqem |
|
| 3 |
| vulnerability |
VCID-67gm-m1up-gfaf |
|
| 4 |
| vulnerability |
VCID-74wj-a72v-s3gk |
|
| 5 |
| vulnerability |
VCID-aef6-wkbr-1kfb |
|
| 6 |
| vulnerability |
VCID-bgcq-x9bd-83ap |
|
| 7 |
| vulnerability |
VCID-chdv-jk6d-uuga |
|
| 8 |
| vulnerability |
VCID-d13x-y75t-2ugx |
|
| 9 |
| vulnerability |
VCID-e2q6-558r-4kam |
|
| 10 |
| vulnerability |
VCID-gvjg-dk1p-2uek |
|
| 11 |
| vulnerability |
VCID-ktyd-dgdw-pber |
|
| 12 |
| vulnerability |
VCID-mgf4-zdnr-tba4 |
|
| 13 |
| vulnerability |
VCID-p6m6-7kgc-y3g8 |
|
| 14 |
| vulnerability |
VCID-pb6j-zdqw-g7cj |
|
| 15 |
| vulnerability |
VCID-pr2j-1118-hqaa |
|
| 16 |
| vulnerability |
VCID-q3td-7t4g-57ba |
|
| 17 |
| vulnerability |
VCID-qa31-1xtw-ybdg |
|
| 18 |
| vulnerability |
VCID-qkq6-n1ds-x7e5 |
|
| 19 |
| vulnerability |
VCID-tggj-xch8-jqcv |
|
| 20 |
| vulnerability |
VCID-u2yz-dthy-1fdr |
|
| 21 |
| vulnerability |
VCID-u6wn-nety-sbde |
|
| 22 |
| vulnerability |
VCID-u9gg-kzf2-9qap |
|
| 23 |
| vulnerability |
VCID-wnj6-hc4g-ykfs |
|
| 24 |
| vulnerability |
VCID-yrjg-2aw9-effx |
|
| 25 |
| vulnerability |
VCID-zudy-xe9p-3fgm |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.11.4 |
|
|
| aliases |
CVE-2021-3517, GHSA-jw9f-hh49-cvp9
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-e8w6-ax3x-wqan |
|
| 23 |
| url |
VCID-efx2-bpu9-z7a4 |
| vulnerability_id |
VCID-efx2-bpu9-z7a4 |
| summary |
Vulnerabilities in libxml2
Several vulnerabilities were discovered in the libxml2 library that this package gem depends on. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
| 33 |
|
| 34 |
|
| 35 |
|
| 36 |
|
| 37 |
|
| 38 |
|
| 39 |
|
| 40 |
|
| 41 |
|
| 42 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/nokogiri@1.6.7.1 |
| purl |
pkg:gem/nokogiri@1.6.7.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1sh8-bsk3-auct |
|
| 1 |
| vulnerability |
VCID-2r85-egs8-4be3 |
|
| 2 |
| vulnerability |
VCID-4sg9-pjmx-6kfy |
|
| 3 |
| vulnerability |
VCID-5838-r3hp-wke4 |
|
| 4 |
| vulnerability |
VCID-5g9a-2484-rucp |
|
| 5 |
| vulnerability |
VCID-5xuf-r7bj-33fa |
|
| 6 |
| vulnerability |
VCID-66gp-78uh-aqem |
|
| 7 |
| vulnerability |
VCID-67gm-m1up-gfaf |
|
| 8 |
| vulnerability |
VCID-6t8y-27ba-cfa2 |
|
| 9 |
| vulnerability |
VCID-74wj-a72v-s3gk |
|
| 10 |
| vulnerability |
VCID-9m3t-anwb-4fbx |
|
| 11 |
| vulnerability |
VCID-aef6-wkbr-1kfb |
|
| 12 |
| vulnerability |
VCID-akrb-6bu8-nqfq |
|
| 13 |
| vulnerability |
VCID-b8q3-sd61-rqhf |
|
| 14 |
| vulnerability |
VCID-bgcq-x9bd-83ap |
|
| 15 |
| vulnerability |
VCID-chdv-jk6d-uuga |
|
| 16 |
| vulnerability |
VCID-d13x-y75t-2ugx |
|
| 17 |
| vulnerability |
VCID-e2q6-558r-4kam |
|
| 18 |
| vulnerability |
VCID-e8w6-ax3x-wqan |
|
| 19 |
| vulnerability |
VCID-egft-crba-6ubx |
|
| 20 |
| vulnerability |
VCID-fn1n-adz5-5fcy |
|
| 21 |
| vulnerability |
VCID-ft4s-195a-8fcf |
|
| 22 |
| vulnerability |
VCID-gdgu-7d3a-uygr |
|
| 23 |
| vulnerability |
VCID-gvjg-dk1p-2uek |
|
| 24 |
| vulnerability |
VCID-gwrv-agck-yuex |
|
| 25 |
| vulnerability |
VCID-j98t-paam-97ec |
|
| 26 |
| vulnerability |
VCID-jvd7-7jes-4ffn |
|
| 27 |
| vulnerability |
VCID-jxz3-ug52-cuhn |
|
| 28 |
| vulnerability |
VCID-ktyd-dgdw-pber |
|
| 29 |
| vulnerability |
VCID-m91c-mfu9-bbbh |
|
| 30 |
| vulnerability |
VCID-mgf4-zdnr-tba4 |
|
| 31 |
| vulnerability |
VCID-nuzy-ruzb-dke6 |
|
| 32 |
| vulnerability |
VCID-p6m6-7kgc-y3g8 |
|
| 33 |
| vulnerability |
VCID-pb6j-zdqw-g7cj |
|
| 34 |
| vulnerability |
VCID-pr2j-1118-hqaa |
|
| 35 |
| vulnerability |
VCID-q3td-7t4g-57ba |
|
| 36 |
| vulnerability |
VCID-qa31-1xtw-ybdg |
|
| 37 |
| vulnerability |
VCID-qkq6-n1ds-x7e5 |
|
| 38 |
| vulnerability |
VCID-tggj-xch8-jqcv |
|
| 39 |
| vulnerability |
VCID-u2yz-dthy-1fdr |
|
| 40 |
| vulnerability |
VCID-u6wn-nety-sbde |
|
| 41 |
| vulnerability |
VCID-u9b2-qx2j-c7by |
|
| 42 |
| vulnerability |
VCID-u9gg-kzf2-9qap |
|
| 43 |
| vulnerability |
VCID-ueh5-fv4d-a7a8 |
|
| 44 |
| vulnerability |
VCID-uk9u-nn9a-4yes |
|
| 45 |
| vulnerability |
VCID-wnj6-hc4g-ykfs |
|
| 46 |
| vulnerability |
VCID-yjn6-17qx-9ubc |
|
| 47 |
| vulnerability |
VCID-yrjg-2aw9-effx |
|
| 48 |
| vulnerability |
VCID-zudy-xe9p-3fgm |
|
| 49 |
| vulnerability |
VCID-zx33-nyvt-vbe9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.6.7.1 |
|
|
| aliases |
CVE-2015-5312, GHSA-xjqg-9jvg-fgx2
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-efx2-bpu9-z7a4 |
|
| 24 |
| url |
VCID-egft-crba-6ubx |
| vulnerability_id |
VCID-egft-crba-6ubx |
| summary |
Uncontrolled Resource Consumption
dict.c in libxml2 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via an unexpected character immediately after the "<!DOCTYPE html" substring in a crafted HTML document. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
| 33 |
|
| 34 |
|
| 35 |
|
| 36 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/nokogiri@1.6.8 |
| purl |
pkg:gem/nokogiri@1.6.8 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1sh8-bsk3-auct |
|
| 1 |
| vulnerability |
VCID-2r85-egs8-4be3 |
|
| 2 |
| vulnerability |
VCID-4sg9-pjmx-6kfy |
|
| 3 |
| vulnerability |
VCID-5838-r3hp-wke4 |
|
| 4 |
| vulnerability |
VCID-5g9a-2484-rucp |
|
| 5 |
| vulnerability |
VCID-5xuf-r7bj-33fa |
|
| 6 |
| vulnerability |
VCID-66gp-78uh-aqem |
|
| 7 |
| vulnerability |
VCID-67gm-m1up-gfaf |
|
| 8 |
| vulnerability |
VCID-6t8y-27ba-cfa2 |
|
| 9 |
| vulnerability |
VCID-74wj-a72v-s3gk |
|
| 10 |
| vulnerability |
VCID-9m3t-anwb-4fbx |
|
| 11 |
| vulnerability |
VCID-aef6-wkbr-1kfb |
|
| 12 |
| vulnerability |
VCID-akrb-6bu8-nqfq |
|
| 13 |
| vulnerability |
VCID-b8q3-sd61-rqhf |
|
| 14 |
| vulnerability |
VCID-bgcq-x9bd-83ap |
|
| 15 |
| vulnerability |
VCID-chdv-jk6d-uuga |
|
| 16 |
| vulnerability |
VCID-d13x-y75t-2ugx |
|
| 17 |
| vulnerability |
VCID-e2q6-558r-4kam |
|
| 18 |
| vulnerability |
VCID-e8w6-ax3x-wqan |
|
| 19 |
| vulnerability |
VCID-ft4s-195a-8fcf |
|
| 20 |
| vulnerability |
VCID-gdgu-7d3a-uygr |
|
| 21 |
| vulnerability |
VCID-gvjg-dk1p-2uek |
|
| 22 |
| vulnerability |
VCID-gwrv-agck-yuex |
|
| 23 |
| vulnerability |
VCID-j98t-paam-97ec |
|
| 24 |
| vulnerability |
VCID-jvd7-7jes-4ffn |
|
| 25 |
| vulnerability |
VCID-jxz3-ug52-cuhn |
|
| 26 |
| vulnerability |
VCID-ktyd-dgdw-pber |
|
| 27 |
| vulnerability |
VCID-m91c-mfu9-bbbh |
|
| 28 |
| vulnerability |
VCID-mgf4-zdnr-tba4 |
|
| 29 |
| vulnerability |
VCID-nuzy-ruzb-dke6 |
|
| 30 |
| vulnerability |
VCID-p6m6-7kgc-y3g8 |
|
| 31 |
| vulnerability |
VCID-pb6j-zdqw-g7cj |
|
| 32 |
| vulnerability |
VCID-pr2j-1118-hqaa |
|
| 33 |
| vulnerability |
VCID-q3td-7t4g-57ba |
|
| 34 |
| vulnerability |
VCID-qa31-1xtw-ybdg |
|
| 35 |
| vulnerability |
VCID-qkq6-n1ds-x7e5 |
|
| 36 |
| vulnerability |
VCID-tggj-xch8-jqcv |
|
| 37 |
| vulnerability |
VCID-u2yz-dthy-1fdr |
|
| 38 |
| vulnerability |
VCID-u6wn-nety-sbde |
|
| 39 |
| vulnerability |
VCID-u9b2-qx2j-c7by |
|
| 40 |
| vulnerability |
VCID-u9gg-kzf2-9qap |
|
| 41 |
| vulnerability |
VCID-ueh5-fv4d-a7a8 |
|
| 42 |
| vulnerability |
VCID-uk9u-nn9a-4yes |
|
| 43 |
| vulnerability |
VCID-wnj6-hc4g-ykfs |
|
| 44 |
| vulnerability |
VCID-yjn6-17qx-9ubc |
|
| 45 |
| vulnerability |
VCID-yrjg-2aw9-effx |
|
| 46 |
| vulnerability |
VCID-zudy-xe9p-3fgm |
|
| 47 |
| vulnerability |
VCID-zx33-nyvt-vbe9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.6.8 |
|
|
| aliases |
CVE-2015-8806, GHSA-7hp2-xwpj-95jq
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-egft-crba-6ubx |
|
| 25 |
| url |
VCID-fn1n-adz5-5fcy |
| vulnerability_id |
VCID-fn1n-adz5-5fcy |
| summary |
Improper Restriction of Operations within the Bounds of a Memory Buffer
Heap-based buffer overflow in the xmlGROW function in parser.c in libxml2 allows context-dependent attackers to obtain sensitive process memory information via unspecified vectors. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
| 33 |
|
| 34 |
|
| 35 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/nokogiri@1.6.7.2 |
| purl |
pkg:gem/nokogiri@1.6.7.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1sh8-bsk3-auct |
|
| 1 |
| vulnerability |
VCID-2r85-egs8-4be3 |
|
| 2 |
| vulnerability |
VCID-4sg9-pjmx-6kfy |
|
| 3 |
| vulnerability |
VCID-5838-r3hp-wke4 |
|
| 4 |
| vulnerability |
VCID-5g9a-2484-rucp |
|
| 5 |
| vulnerability |
VCID-5xuf-r7bj-33fa |
|
| 6 |
| vulnerability |
VCID-66gp-78uh-aqem |
|
| 7 |
| vulnerability |
VCID-67gm-m1up-gfaf |
|
| 8 |
| vulnerability |
VCID-6t8y-27ba-cfa2 |
|
| 9 |
| vulnerability |
VCID-74wj-a72v-s3gk |
|
| 10 |
| vulnerability |
VCID-9m3t-anwb-4fbx |
|
| 11 |
| vulnerability |
VCID-aef6-wkbr-1kfb |
|
| 12 |
| vulnerability |
VCID-akrb-6bu8-nqfq |
|
| 13 |
| vulnerability |
VCID-b8q3-sd61-rqhf |
|
| 14 |
| vulnerability |
VCID-bgcq-x9bd-83ap |
|
| 15 |
| vulnerability |
VCID-chdv-jk6d-uuga |
|
| 16 |
| vulnerability |
VCID-d13x-y75t-2ugx |
|
| 17 |
| vulnerability |
VCID-e2q6-558r-4kam |
|
| 18 |
| vulnerability |
VCID-e8w6-ax3x-wqan |
|
| 19 |
| vulnerability |
VCID-egft-crba-6ubx |
|
| 20 |
| vulnerability |
VCID-ft4s-195a-8fcf |
|
| 21 |
| vulnerability |
VCID-gdgu-7d3a-uygr |
|
| 22 |
| vulnerability |
VCID-gvjg-dk1p-2uek |
|
| 23 |
| vulnerability |
VCID-gwrv-agck-yuex |
|
| 24 |
| vulnerability |
VCID-j98t-paam-97ec |
|
| 25 |
| vulnerability |
VCID-jvd7-7jes-4ffn |
|
| 26 |
| vulnerability |
VCID-jxz3-ug52-cuhn |
|
| 27 |
| vulnerability |
VCID-ktyd-dgdw-pber |
|
| 28 |
| vulnerability |
VCID-m91c-mfu9-bbbh |
|
| 29 |
| vulnerability |
VCID-mgf4-zdnr-tba4 |
|
| 30 |
| vulnerability |
VCID-nuzy-ruzb-dke6 |
|
| 31 |
| vulnerability |
VCID-p6m6-7kgc-y3g8 |
|
| 32 |
| vulnerability |
VCID-pb6j-zdqw-g7cj |
|
| 33 |
| vulnerability |
VCID-pr2j-1118-hqaa |
|
| 34 |
| vulnerability |
VCID-q3td-7t4g-57ba |
|
| 35 |
| vulnerability |
VCID-qa31-1xtw-ybdg |
|
| 36 |
| vulnerability |
VCID-qkq6-n1ds-x7e5 |
|
| 37 |
| vulnerability |
VCID-tggj-xch8-jqcv |
|
| 38 |
| vulnerability |
VCID-u2yz-dthy-1fdr |
|
| 39 |
| vulnerability |
VCID-u6wn-nety-sbde |
|
| 40 |
| vulnerability |
VCID-u9b2-qx2j-c7by |
|
| 41 |
| vulnerability |
VCID-u9gg-kzf2-9qap |
|
| 42 |
| vulnerability |
VCID-ueh5-fv4d-a7a8 |
|
| 43 |
| vulnerability |
VCID-uk9u-nn9a-4yes |
|
| 44 |
| vulnerability |
VCID-wnj6-hc4g-ykfs |
|
| 45 |
| vulnerability |
VCID-yjn6-17qx-9ubc |
|
| 46 |
| vulnerability |
VCID-yrjg-2aw9-effx |
|
| 47 |
| vulnerability |
VCID-zudy-xe9p-3fgm |
|
| 48 |
| vulnerability |
VCID-zx33-nyvt-vbe9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.6.7.2 |
|
| 1 |
| url |
pkg:gem/nokogiri@1.6.8.rc1 |
| purl |
pkg:gem/nokogiri@1.6.8.rc1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1sh8-bsk3-auct |
|
| 1 |
| vulnerability |
VCID-2r85-egs8-4be3 |
|
| 2 |
| vulnerability |
VCID-4sg9-pjmx-6kfy |
|
| 3 |
| vulnerability |
VCID-5838-r3hp-wke4 |
|
| 4 |
| vulnerability |
VCID-5g9a-2484-rucp |
|
| 5 |
| vulnerability |
VCID-5xuf-r7bj-33fa |
|
| 6 |
| vulnerability |
VCID-66gp-78uh-aqem |
|
| 7 |
| vulnerability |
VCID-67gm-m1up-gfaf |
|
| 8 |
| vulnerability |
VCID-6t8y-27ba-cfa2 |
|
| 9 |
| vulnerability |
VCID-74wj-a72v-s3gk |
|
| 10 |
| vulnerability |
VCID-9m3t-anwb-4fbx |
|
| 11 |
| vulnerability |
VCID-aef6-wkbr-1kfb |
|
| 12 |
| vulnerability |
VCID-akrb-6bu8-nqfq |
|
| 13 |
| vulnerability |
VCID-b8q3-sd61-rqhf |
|
| 14 |
| vulnerability |
VCID-bgcq-x9bd-83ap |
|
| 15 |
| vulnerability |
VCID-chdv-jk6d-uuga |
|
| 16 |
| vulnerability |
VCID-d13x-y75t-2ugx |
|
| 17 |
| vulnerability |
VCID-e2q6-558r-4kam |
|
| 18 |
| vulnerability |
VCID-e8w6-ax3x-wqan |
|
| 19 |
| vulnerability |
VCID-egft-crba-6ubx |
|
| 20 |
| vulnerability |
VCID-fn1n-adz5-5fcy |
|
| 21 |
| vulnerability |
VCID-ft4s-195a-8fcf |
|
| 22 |
| vulnerability |
VCID-gdgu-7d3a-uygr |
|
| 23 |
| vulnerability |
VCID-gvjg-dk1p-2uek |
|
| 24 |
| vulnerability |
VCID-gwrv-agck-yuex |
|
| 25 |
| vulnerability |
VCID-j98t-paam-97ec |
|
| 26 |
| vulnerability |
VCID-jvd7-7jes-4ffn |
|
| 27 |
| vulnerability |
VCID-jxz3-ug52-cuhn |
|
| 28 |
| vulnerability |
VCID-ktyd-dgdw-pber |
|
| 29 |
| vulnerability |
VCID-m91c-mfu9-bbbh |
|
| 30 |
| vulnerability |
VCID-mgf4-zdnr-tba4 |
|
| 31 |
| vulnerability |
VCID-nuzy-ruzb-dke6 |
|
| 32 |
| vulnerability |
VCID-p6m6-7kgc-y3g8 |
|
| 33 |
| vulnerability |
VCID-pb6j-zdqw-g7cj |
|
| 34 |
| vulnerability |
VCID-pr2j-1118-hqaa |
|
| 35 |
| vulnerability |
VCID-q3td-7t4g-57ba |
|
| 36 |
| vulnerability |
VCID-qa31-1xtw-ybdg |
|
| 37 |
| vulnerability |
VCID-qkq6-n1ds-x7e5 |
|
| 38 |
| vulnerability |
VCID-tggj-xch8-jqcv |
|
| 39 |
| vulnerability |
VCID-u2yz-dthy-1fdr |
|
| 40 |
| vulnerability |
VCID-u6wn-nety-sbde |
|
| 41 |
| vulnerability |
VCID-u9b2-qx2j-c7by |
|
| 42 |
| vulnerability |
VCID-u9gg-kzf2-9qap |
|
| 43 |
| vulnerability |
VCID-ueh5-fv4d-a7a8 |
|
| 44 |
| vulnerability |
VCID-uk9u-nn9a-4yes |
|
| 45 |
| vulnerability |
VCID-wnj6-hc4g-ykfs |
|
| 46 |
| vulnerability |
VCID-yjn6-17qx-9ubc |
|
| 47 |
| vulnerability |
VCID-yrjg-2aw9-effx |
|
| 48 |
| vulnerability |
VCID-zudy-xe9p-3fgm |
|
| 49 |
| vulnerability |
VCID-zx33-nyvt-vbe9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.6.8.rc1 |
|
|
| aliases |
CVE-2015-7499, GHSA-jxjr-5h69-qw3w
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-fn1n-adz5-5fcy |
|
| 26 |
| url |
VCID-ft4s-195a-8fcf |
| vulnerability_id |
VCID-ft4s-195a-8fcf |
| summary |
Improper Input Validation
In `numbers.c` in libxslt, which is used by nokogiri, a type holding grouping characters of an `xsl:number` instruction was too narrow and an invalid character/length combination could be passed to `xsltNumberFormatDecimal`, leading to a read of uninitialized stack data. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
| reference_url |
http://seclists.org/fulldisclosure/2019/Aug/11 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-28T18:35:56Z/ |
|
|
| url |
http://seclists.org/fulldisclosure/2019/Aug/11 |
|
| 6 |
| reference_url |
http://seclists.org/fulldisclosure/2019/Aug/13 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-28T18:35:56Z/ |
|
|
| url |
http://seclists.org/fulldisclosure/2019/Aug/13 |
|
| 7 |
| reference_url |
http://seclists.org/fulldisclosure/2019/Aug/14 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-28T18:35:56Z/ |
|
|
| url |
http://seclists.org/fulldisclosure/2019/Aug/14 |
|
| 8 |
| reference_url |
http://seclists.org/fulldisclosure/2019/Aug/15 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-28T18:35:56Z/ |
|
|
| url |
http://seclists.org/fulldisclosure/2019/Aug/15 |
|
| 9 |
| reference_url |
http://seclists.org/fulldisclosure/2019/Jul/22 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-28T18:35:56Z/ |
|
|
| url |
http://seclists.org/fulldisclosure/2019/Jul/22 |
|
| 10 |
| reference_url |
http://seclists.org/fulldisclosure/2019/Jul/23 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-28T18:35:56Z/ |
|
|
| url |
http://seclists.org/fulldisclosure/2019/Jul/23 |
|
| 11 |
| reference_url |
http://seclists.org/fulldisclosure/2019/Jul/24 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-28T18:35:56Z/ |
|
|
| url |
http://seclists.org/fulldisclosure/2019/Jul/24 |
|
| 12 |
| reference_url |
http://seclists.org/fulldisclosure/2019/Jul/26 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-28T18:35:56Z/ |
|
|
| url |
http://seclists.org/fulldisclosure/2019/Jul/26 |
|
| 13 |
| reference_url |
http://seclists.org/fulldisclosure/2019/Jul/31 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-28T18:35:56Z/ |
|
|
| url |
http://seclists.org/fulldisclosure/2019/Jul/31 |
|
| 14 |
| reference_url |
http://seclists.org/fulldisclosure/2019/Jul/37 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-28T18:35:56Z/ |
|
|
| url |
http://seclists.org/fulldisclosure/2019/Jul/37 |
|
| 15 |
| reference_url |
http://seclists.org/fulldisclosure/2019/Jul/38 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-28T18:35:56Z/ |
|
|
| url |
http://seclists.org/fulldisclosure/2019/Jul/38 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
| reference_url |
https://seclists.org/bugtraq/2019/Aug/21 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-28T18:35:56Z/ |
|
|
| url |
https://seclists.org/bugtraq/2019/Aug/21 |
|
| 28 |
| reference_url |
https://seclists.org/bugtraq/2019/Aug/22 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-28T18:35:56Z/ |
|
|
| url |
https://seclists.org/bugtraq/2019/Aug/22 |
|
| 29 |
| reference_url |
https://seclists.org/bugtraq/2019/Aug/23 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-28T18:35:56Z/ |
|
|
| url |
https://seclists.org/bugtraq/2019/Aug/23 |
|
| 30 |
| reference_url |
https://seclists.org/bugtraq/2019/Aug/25 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-28T18:35:56Z/ |
|
|
| url |
https://seclists.org/bugtraq/2019/Aug/25 |
|
| 31 |
| reference_url |
https://seclists.org/bugtraq/2019/Jul/35 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-28T18:35:56Z/ |
|
|
| url |
https://seclists.org/bugtraq/2019/Jul/35 |
|
| 32 |
| reference_url |
https://seclists.org/bugtraq/2019/Jul/36 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-28T18:35:56Z/ |
|
|
| url |
https://seclists.org/bugtraq/2019/Jul/36 |
|
| 33 |
| reference_url |
https://seclists.org/bugtraq/2019/Jul/37 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-28T18:35:56Z/ |
|
|
| url |
https://seclists.org/bugtraq/2019/Jul/37 |
|
| 34 |
| reference_url |
https://seclists.org/bugtraq/2019/Jul/40 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-28T18:35:56Z/ |
|
|
| url |
https://seclists.org/bugtraq/2019/Jul/40 |
|
| 35 |
| reference_url |
https://seclists.org/bugtraq/2019/Jul/41 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-28T18:35:56Z/ |
|
|
| url |
https://seclists.org/bugtraq/2019/Jul/41 |
|
| 36 |
| reference_url |
https://seclists.org/bugtraq/2019/Jul/42 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-28T18:35:56Z/ |
|
|
| url |
https://seclists.org/bugtraq/2019/Jul/42 |
|
| 37 |
|
| 38 |
|
| 39 |
| reference_url |
https://support.apple.com/kb/HT210346 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-28T18:35:56Z/ |
|
|
| url |
https://support.apple.com/kb/HT210346 |
|
| 40 |
| reference_url |
https://support.apple.com/kb/HT210348 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-28T18:35:56Z/ |
|
|
| url |
https://support.apple.com/kb/HT210348 |
|
| 41 |
| reference_url |
https://support.apple.com/kb/HT210351 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-28T18:35:56Z/ |
|
|
| url |
https://support.apple.com/kb/HT210351 |
|
| 42 |
| reference_url |
https://support.apple.com/kb/HT210353 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-28T18:35:56Z/ |
|
|
| url |
https://support.apple.com/kb/HT210353 |
|
| 43 |
| reference_url |
https://support.apple.com/kb/HT210356 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-28T18:35:56Z/ |
|
|
| url |
https://support.apple.com/kb/HT210356 |
|
| 44 |
| reference_url |
https://support.apple.com/kb/HT210357 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-28T18:35:56Z/ |
|
|
| url |
https://support.apple.com/kb/HT210357 |
|
| 45 |
| reference_url |
https://support.apple.com/kb/HT210358 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-28T18:35:56Z/ |
|
|
| url |
https://support.apple.com/kb/HT210358 |
|
| 46 |
|
| 47 |
|
| 48 |
|
| 49 |
|
| 50 |
| reference_url |
https://usn.ubuntu.com/4164-1/ |
| reference_id |
4164-1 |
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-28T18:35:56Z/ |
|
|
| url |
https://usn.ubuntu.com/4164-1/ |
|
| 51 |
|
| 52 |
|
| 53 |
|
| 54 |
|
| 55 |
|
| 56 |
|
| 57 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/nokogiri@1.10.5 |
| purl |
pkg:gem/nokogiri@1.10.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1sh8-bsk3-auct |
|
| 1 |
| vulnerability |
VCID-2r85-egs8-4be3 |
|
| 2 |
| vulnerability |
VCID-4sg9-pjmx-6kfy |
|
| 3 |
| vulnerability |
VCID-5838-r3hp-wke4 |
|
| 4 |
| vulnerability |
VCID-5g9a-2484-rucp |
|
| 5 |
| vulnerability |
VCID-66gp-78uh-aqem |
|
| 6 |
| vulnerability |
VCID-67gm-m1up-gfaf |
|
| 7 |
| vulnerability |
VCID-6t8y-27ba-cfa2 |
|
| 8 |
| vulnerability |
VCID-74wj-a72v-s3gk |
|
| 9 |
| vulnerability |
VCID-aef6-wkbr-1kfb |
|
| 10 |
| vulnerability |
VCID-bgcq-x9bd-83ap |
|
| 11 |
| vulnerability |
VCID-chdv-jk6d-uuga |
|
| 12 |
| vulnerability |
VCID-d13x-y75t-2ugx |
|
| 13 |
| vulnerability |
VCID-e2q6-558r-4kam |
|
| 14 |
| vulnerability |
VCID-e8w6-ax3x-wqan |
|
| 15 |
| vulnerability |
VCID-gvjg-dk1p-2uek |
|
| 16 |
| vulnerability |
VCID-jxz3-ug52-cuhn |
|
| 17 |
| vulnerability |
VCID-ktyd-dgdw-pber |
|
| 18 |
| vulnerability |
VCID-mgf4-zdnr-tba4 |
|
| 19 |
| vulnerability |
VCID-nuzy-ruzb-dke6 |
|
| 20 |
| vulnerability |
VCID-p6m6-7kgc-y3g8 |
|
| 21 |
| vulnerability |
VCID-pb6j-zdqw-g7cj |
|
| 22 |
| vulnerability |
VCID-pr2j-1118-hqaa |
|
| 23 |
| vulnerability |
VCID-q3td-7t4g-57ba |
|
| 24 |
| vulnerability |
VCID-qa31-1xtw-ybdg |
|
| 25 |
| vulnerability |
VCID-qkq6-n1ds-x7e5 |
|
| 26 |
| vulnerability |
VCID-tggj-xch8-jqcv |
|
| 27 |
| vulnerability |
VCID-u2yz-dthy-1fdr |
|
| 28 |
| vulnerability |
VCID-u6wn-nety-sbde |
|
| 29 |
| vulnerability |
VCID-u9gg-kzf2-9qap |
|
| 30 |
| vulnerability |
VCID-wnj6-hc4g-ykfs |
|
| 31 |
| vulnerability |
VCID-yjn6-17qx-9ubc |
|
| 32 |
| vulnerability |
VCID-yrjg-2aw9-effx |
|
| 33 |
| vulnerability |
VCID-zudy-xe9p-3fgm |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.10.5 |
|
|
| aliases |
CVE-2019-13118, GHSA-cf46-6xxh-pc75
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ft4s-195a-8fcf |
|
| 27 |
| url |
VCID-gdgu-7d3a-uygr |
| vulnerability_id |
VCID-gdgu-7d3a-uygr |
| summary |
Vulnerabilities in libxml2
The version of libxml2 packaged with Nokogiri contains several vulnerabilities. Nokogiri has mitigated these issues by upgrading to libxml It was discovered that a type confusion error existed in libxml2. An attacker could use this to specially construct XML data that could cause a denial of service or possibly execute arbitrary code. (CVE-2017-0663) It was discovered that libxml2 did not properly validate parsed entity references. An attacker could use this to specially construct XML data that could expose sensitive information. (CVE-2017-7375) It was discovered that a buffer overflow existed in libxml2 when handling HTTP redirects. An attacker could use this to specially construct XML data that could cause a denial of service or possibly execute arbitrary code. (CVE-2017-7376) Marcel Böhme and Van-Thuan Pham discovered a buffer overflow in libxml2 when handling elements. An attacker could use this to specially construct XML data that could cause a denial of service or possibly execute arbitrary code. (CVE-2017-9047) Marcel Böhme and Van-Thuan Pham discovered a buffer overread in libxml2 when handling elements. An attacker could use this to specially construct XML data that could cause a denial of service. (CVE-2017-9048) Marcel Böhme and Van-Thuan Pham discovered multiple buffer overreads in libxml2 when handling parameter-entity references. An attacker could use these to specially construct XML data that could cause a denial of service. (CVE-2017-9049, CVE-2017-9050) |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:gem/nokogiri@1.8.1 |
| purl |
pkg:gem/nokogiri@1.8.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1sh8-bsk3-auct |
|
| 1 |
| vulnerability |
VCID-2r85-egs8-4be3 |
|
| 2 |
| vulnerability |
VCID-4sg9-pjmx-6kfy |
|
| 3 |
| vulnerability |
VCID-5838-r3hp-wke4 |
|
| 4 |
| vulnerability |
VCID-5g9a-2484-rucp |
|
| 5 |
| vulnerability |
VCID-5xuf-r7bj-33fa |
|
| 6 |
| vulnerability |
VCID-66gp-78uh-aqem |
|
| 7 |
| vulnerability |
VCID-67gm-m1up-gfaf |
|
| 8 |
| vulnerability |
VCID-6t8y-27ba-cfa2 |
|
| 9 |
| vulnerability |
VCID-74wj-a72v-s3gk |
|
| 10 |
| vulnerability |
VCID-aef6-wkbr-1kfb |
|
| 11 |
| vulnerability |
VCID-akrb-6bu8-nqfq |
|
| 12 |
| vulnerability |
VCID-bgcq-x9bd-83ap |
|
| 13 |
| vulnerability |
VCID-chdv-jk6d-uuga |
|
| 14 |
| vulnerability |
VCID-d13x-y75t-2ugx |
|
| 15 |
| vulnerability |
VCID-e2q6-558r-4kam |
|
| 16 |
| vulnerability |
VCID-e8w6-ax3x-wqan |
|
| 17 |
| vulnerability |
VCID-ft4s-195a-8fcf |
|
| 18 |
| vulnerability |
VCID-gvjg-dk1p-2uek |
|
| 19 |
| vulnerability |
VCID-gwrv-agck-yuex |
|
| 20 |
| vulnerability |
VCID-j98t-paam-97ec |
|
| 21 |
| vulnerability |
VCID-jvd7-7jes-4ffn |
|
| 22 |
| vulnerability |
VCID-jxz3-ug52-cuhn |
|
| 23 |
| vulnerability |
VCID-ktyd-dgdw-pber |
|
| 24 |
| vulnerability |
VCID-mgf4-zdnr-tba4 |
|
| 25 |
| vulnerability |
VCID-nuzy-ruzb-dke6 |
|
| 26 |
| vulnerability |
VCID-p6m6-7kgc-y3g8 |
|
| 27 |
| vulnerability |
VCID-pb6j-zdqw-g7cj |
|
| 28 |
| vulnerability |
VCID-pr2j-1118-hqaa |
|
| 29 |
| vulnerability |
VCID-q3td-7t4g-57ba |
|
| 30 |
| vulnerability |
VCID-qa31-1xtw-ybdg |
|
| 31 |
| vulnerability |
VCID-qkq6-n1ds-x7e5 |
|
| 32 |
| vulnerability |
VCID-tggj-xch8-jqcv |
|
| 33 |
| vulnerability |
VCID-u2yz-dthy-1fdr |
|
| 34 |
| vulnerability |
VCID-u6wn-nety-sbde |
|
| 35 |
| vulnerability |
VCID-u9b2-qx2j-c7by |
|
| 36 |
| vulnerability |
VCID-u9gg-kzf2-9qap |
|
| 37 |
| vulnerability |
VCID-ueh5-fv4d-a7a8 |
|
| 38 |
| vulnerability |
VCID-uk9u-nn9a-4yes |
|
| 39 |
| vulnerability |
VCID-wnj6-hc4g-ykfs |
|
| 40 |
| vulnerability |
VCID-yjn6-17qx-9ubc |
|
| 41 |
| vulnerability |
VCID-yrjg-2aw9-effx |
|
| 42 |
| vulnerability |
VCID-zudy-xe9p-3fgm |
|
| 43 |
| vulnerability |
VCID-zx33-nyvt-vbe9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.8.1 |
|
|
| aliases |
USN-3424-1
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-gdgu-7d3a-uygr |
|
| 28 |
| url |
VCID-gvjg-dk1p-2uek |
| vulnerability_id |
VCID-gvjg-dk1p-2uek |
| summary |
Duplicate Advisory: Use-after-free in libxml2 via Nokogiri::XML::Reader
Nokogiri upgrades its dependency libxml2 as follows:
- v1.15.6 upgrades libxml2 to 2.11.7 from 2.11.6
- v1.16.2 upgrades libxml2 to 2.12.5 from 2.12.4
libxml2 v2.11.7 and v2.12.5 address the following vulnerability:
CVE-2024-25062 / https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25062
- described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/604
- patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970
Please note that this advisory only applies to the CRuby implementation of Nokogiri, and only if
the packaged libraries are being used. If you've overridden defaults at installation time to use
system libraries instead of packaged libraries, you should instead pay attention to your distro's
libxml2 release announcements.
JRuby users are not affected. |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-vcc3-rw6f-jv97
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-gvjg-dk1p-2uek |
|
| 29 |
| url |
VCID-gwrv-agck-yuex |
| vulnerability_id |
VCID-gwrv-agck-yuex |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
In the Loofah gem for Ruby, denylisted HTML attributes may occur in sanitized output by republishing a crafted HTML fragment. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/nokogiri@1.8.3 |
| purl |
pkg:gem/nokogiri@1.8.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1sh8-bsk3-auct |
|
| 1 |
| vulnerability |
VCID-2r85-egs8-4be3 |
|
| 2 |
| vulnerability |
VCID-4sg9-pjmx-6kfy |
|
| 3 |
| vulnerability |
VCID-5838-r3hp-wke4 |
|
| 4 |
| vulnerability |
VCID-5g9a-2484-rucp |
|
| 5 |
| vulnerability |
VCID-5xuf-r7bj-33fa |
|
| 6 |
| vulnerability |
VCID-66gp-78uh-aqem |
|
| 7 |
| vulnerability |
VCID-67gm-m1up-gfaf |
|
| 8 |
| vulnerability |
VCID-6t8y-27ba-cfa2 |
|
| 9 |
| vulnerability |
VCID-74wj-a72v-s3gk |
|
| 10 |
| vulnerability |
VCID-aef6-wkbr-1kfb |
|
| 11 |
| vulnerability |
VCID-akrb-6bu8-nqfq |
|
| 12 |
| vulnerability |
VCID-bgcq-x9bd-83ap |
|
| 13 |
| vulnerability |
VCID-chdv-jk6d-uuga |
|
| 14 |
| vulnerability |
VCID-d13x-y75t-2ugx |
|
| 15 |
| vulnerability |
VCID-e2q6-558r-4kam |
|
| 16 |
| vulnerability |
VCID-e8w6-ax3x-wqan |
|
| 17 |
| vulnerability |
VCID-ft4s-195a-8fcf |
|
| 18 |
| vulnerability |
VCID-gvjg-dk1p-2uek |
|
| 19 |
| vulnerability |
VCID-jvd7-7jes-4ffn |
|
| 20 |
| vulnerability |
VCID-jxz3-ug52-cuhn |
|
| 21 |
| vulnerability |
VCID-ktyd-dgdw-pber |
|
| 22 |
| vulnerability |
VCID-mgf4-zdnr-tba4 |
|
| 23 |
| vulnerability |
VCID-nuzy-ruzb-dke6 |
|
| 24 |
| vulnerability |
VCID-p6m6-7kgc-y3g8 |
|
| 25 |
| vulnerability |
VCID-pb6j-zdqw-g7cj |
|
| 26 |
| vulnerability |
VCID-pr2j-1118-hqaa |
|
| 27 |
| vulnerability |
VCID-q3td-7t4g-57ba |
|
| 28 |
| vulnerability |
VCID-qa31-1xtw-ybdg |
|
| 29 |
| vulnerability |
VCID-qkq6-n1ds-x7e5 |
|
| 30 |
| vulnerability |
VCID-tggj-xch8-jqcv |
|
| 31 |
| vulnerability |
VCID-u2yz-dthy-1fdr |
|
| 32 |
| vulnerability |
VCID-u6wn-nety-sbde |
|
| 33 |
| vulnerability |
VCID-u9b2-qx2j-c7by |
|
| 34 |
| vulnerability |
VCID-u9gg-kzf2-9qap |
|
| 35 |
| vulnerability |
VCID-uk9u-nn9a-4yes |
|
| 36 |
| vulnerability |
VCID-wnj6-hc4g-ykfs |
|
| 37 |
| vulnerability |
VCID-yjn6-17qx-9ubc |
|
| 38 |
| vulnerability |
VCID-yrjg-2aw9-effx |
|
| 39 |
| vulnerability |
VCID-zudy-xe9p-3fgm |
|
| 40 |
| vulnerability |
VCID-zx33-nyvt-vbe9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.8.3 |
|
|
| aliases |
CVE-2018-8048, GHSA-x7rv-cr6v-4vm4
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-gwrv-agck-yuex |
|
| 30 |
| url |
VCID-j98t-paam-97ec |
| vulnerability_id |
VCID-j98t-paam-97ec |
| summary |
Allocation of Resources Without Limits or Throttling
The xz_head function in xzlib.c in libxml2 allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality does not restrict memory usage to what is required for a legitimate file. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/nokogiri@1.8.2 |
| purl |
pkg:gem/nokogiri@1.8.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1sh8-bsk3-auct |
|
| 1 |
| vulnerability |
VCID-2r85-egs8-4be3 |
|
| 2 |
| vulnerability |
VCID-4sg9-pjmx-6kfy |
|
| 3 |
| vulnerability |
VCID-5838-r3hp-wke4 |
|
| 4 |
| vulnerability |
VCID-5g9a-2484-rucp |
|
| 5 |
| vulnerability |
VCID-5xuf-r7bj-33fa |
|
| 6 |
| vulnerability |
VCID-66gp-78uh-aqem |
|
| 7 |
| vulnerability |
VCID-67gm-m1up-gfaf |
|
| 8 |
| vulnerability |
VCID-6t8y-27ba-cfa2 |
|
| 9 |
| vulnerability |
VCID-74wj-a72v-s3gk |
|
| 10 |
| vulnerability |
VCID-aef6-wkbr-1kfb |
|
| 11 |
| vulnerability |
VCID-akrb-6bu8-nqfq |
|
| 12 |
| vulnerability |
VCID-bgcq-x9bd-83ap |
|
| 13 |
| vulnerability |
VCID-chdv-jk6d-uuga |
|
| 14 |
| vulnerability |
VCID-d13x-y75t-2ugx |
|
| 15 |
| vulnerability |
VCID-e2q6-558r-4kam |
|
| 16 |
| vulnerability |
VCID-e8w6-ax3x-wqan |
|
| 17 |
| vulnerability |
VCID-ft4s-195a-8fcf |
|
| 18 |
| vulnerability |
VCID-gvjg-dk1p-2uek |
|
| 19 |
| vulnerability |
VCID-gwrv-agck-yuex |
|
| 20 |
| vulnerability |
VCID-jvd7-7jes-4ffn |
|
| 21 |
| vulnerability |
VCID-jxz3-ug52-cuhn |
|
| 22 |
| vulnerability |
VCID-ktyd-dgdw-pber |
|
| 23 |
| vulnerability |
VCID-mgf4-zdnr-tba4 |
|
| 24 |
| vulnerability |
VCID-nuzy-ruzb-dke6 |
|
| 25 |
| vulnerability |
VCID-p6m6-7kgc-y3g8 |
|
| 26 |
| vulnerability |
VCID-pb6j-zdqw-g7cj |
|
| 27 |
| vulnerability |
VCID-pr2j-1118-hqaa |
|
| 28 |
| vulnerability |
VCID-q3td-7t4g-57ba |
|
| 29 |
| vulnerability |
VCID-qa31-1xtw-ybdg |
|
| 30 |
| vulnerability |
VCID-qkq6-n1ds-x7e5 |
|
| 31 |
| vulnerability |
VCID-tggj-xch8-jqcv |
|
| 32 |
| vulnerability |
VCID-u2yz-dthy-1fdr |
|
| 33 |
| vulnerability |
VCID-u6wn-nety-sbde |
|
| 34 |
| vulnerability |
VCID-u9b2-qx2j-c7by |
|
| 35 |
| vulnerability |
VCID-u9gg-kzf2-9qap |
|
| 36 |
| vulnerability |
VCID-uk9u-nn9a-4yes |
|
| 37 |
| vulnerability |
VCID-wnj6-hc4g-ykfs |
|
| 38 |
| vulnerability |
VCID-yjn6-17qx-9ubc |
|
| 39 |
| vulnerability |
VCID-yrjg-2aw9-effx |
|
| 40 |
| vulnerability |
VCID-zudy-xe9p-3fgm |
|
| 41 |
| vulnerability |
VCID-zx33-nyvt-vbe9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.8.2 |
|
|
| aliases |
CVE-2017-18258, GHSA-882p-jqgm-f45g
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-j98t-paam-97ec |
|
| 31 |
| url |
VCID-jvd7-7jes-4ffn |
| vulnerability_id |
VCID-jvd7-7jes-4ffn |
| summary |
Bypass of a protection mechanism in libxslt
The libxslt binary, which is included in nokogiri, allows bypass of a protection mechanism because callers of `xsltCheckRead` and `xsltCheckWrite` permit access even upon receiving a -1 error code. `xsltCheckRead` can return -1 for a crafted URL that is not actually invalid and is subsequently loaded. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
| reference_url |
https://usn.ubuntu.com/3947-1/ |
| reference_id |
3947-1 |
| reference_type |
|
| scores |
| 0 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-28T18:18:22Z/ |
|
|
| url |
https://usn.ubuntu.com/3947-1/ |
|
| 31 |
| reference_url |
https://usn.ubuntu.com/3947-2/ |
| reference_id |
3947-2 |
| reference_type |
|
| scores |
| 0 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-28T18:18:22Z/ |
|
|
| url |
https://usn.ubuntu.com/3947-2/ |
|
| 32 |
|
| 33 |
|
| 34 |
|
| 35 |
|
| 36 |
|
| 37 |
|
| 38 |
|
| 39 |
|
| 40 |
|
| 41 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/nokogiri@1.10.3 |
| purl |
pkg:gem/nokogiri@1.10.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1sh8-bsk3-auct |
|
| 1 |
| vulnerability |
VCID-2r85-egs8-4be3 |
|
| 2 |
| vulnerability |
VCID-4sg9-pjmx-6kfy |
|
| 3 |
| vulnerability |
VCID-5838-r3hp-wke4 |
|
| 4 |
| vulnerability |
VCID-5g9a-2484-rucp |
|
| 5 |
| vulnerability |
VCID-5xuf-r7bj-33fa |
|
| 6 |
| vulnerability |
VCID-66gp-78uh-aqem |
|
| 7 |
| vulnerability |
VCID-67gm-m1up-gfaf |
|
| 8 |
| vulnerability |
VCID-6t8y-27ba-cfa2 |
|
| 9 |
| vulnerability |
VCID-74wj-a72v-s3gk |
|
| 10 |
| vulnerability |
VCID-aef6-wkbr-1kfb |
|
| 11 |
| vulnerability |
VCID-bgcq-x9bd-83ap |
|
| 12 |
| vulnerability |
VCID-chdv-jk6d-uuga |
|
| 13 |
| vulnerability |
VCID-d13x-y75t-2ugx |
|
| 14 |
| vulnerability |
VCID-e2q6-558r-4kam |
|
| 15 |
| vulnerability |
VCID-e8w6-ax3x-wqan |
|
| 16 |
| vulnerability |
VCID-ft4s-195a-8fcf |
|
| 17 |
| vulnerability |
VCID-gvjg-dk1p-2uek |
|
| 18 |
| vulnerability |
VCID-jxz3-ug52-cuhn |
|
| 19 |
| vulnerability |
VCID-ktyd-dgdw-pber |
|
| 20 |
| vulnerability |
VCID-mgf4-zdnr-tba4 |
|
| 21 |
| vulnerability |
VCID-nuzy-ruzb-dke6 |
|
| 22 |
| vulnerability |
VCID-p6m6-7kgc-y3g8 |
|
| 23 |
| vulnerability |
VCID-pb6j-zdqw-g7cj |
|
| 24 |
| vulnerability |
VCID-pr2j-1118-hqaa |
|
| 25 |
| vulnerability |
VCID-q3td-7t4g-57ba |
|
| 26 |
| vulnerability |
VCID-qa31-1xtw-ybdg |
|
| 27 |
| vulnerability |
VCID-qkq6-n1ds-x7e5 |
|
| 28 |
| vulnerability |
VCID-tggj-xch8-jqcv |
|
| 29 |
| vulnerability |
VCID-u2yz-dthy-1fdr |
|
| 30 |
| vulnerability |
VCID-u6wn-nety-sbde |
|
| 31 |
| vulnerability |
VCID-u9b2-qx2j-c7by |
|
| 32 |
| vulnerability |
VCID-u9gg-kzf2-9qap |
|
| 33 |
| vulnerability |
VCID-uk9u-nn9a-4yes |
|
| 34 |
| vulnerability |
VCID-wnj6-hc4g-ykfs |
|
| 35 |
| vulnerability |
VCID-yjn6-17qx-9ubc |
|
| 36 |
| vulnerability |
VCID-yrjg-2aw9-effx |
|
| 37 |
| vulnerability |
VCID-zudy-xe9p-3fgm |
|
| 38 |
| vulnerability |
VCID-zx33-nyvt-vbe9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.10.3 |
|
| 1 |
| url |
pkg:gem/nokogiri@1.10.4 |
| purl |
pkg:gem/nokogiri@1.10.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1sh8-bsk3-auct |
|
| 1 |
| vulnerability |
VCID-2r85-egs8-4be3 |
|
| 2 |
| vulnerability |
VCID-4sg9-pjmx-6kfy |
|
| 3 |
| vulnerability |
VCID-5838-r3hp-wke4 |
|
| 4 |
| vulnerability |
VCID-5g9a-2484-rucp |
|
| 5 |
| vulnerability |
VCID-5xuf-r7bj-33fa |
|
| 6 |
| vulnerability |
VCID-66gp-78uh-aqem |
|
| 7 |
| vulnerability |
VCID-67gm-m1up-gfaf |
|
| 8 |
| vulnerability |
VCID-6t8y-27ba-cfa2 |
|
| 9 |
| vulnerability |
VCID-74wj-a72v-s3gk |
|
| 10 |
| vulnerability |
VCID-aef6-wkbr-1kfb |
|
| 11 |
| vulnerability |
VCID-bgcq-x9bd-83ap |
|
| 12 |
| vulnerability |
VCID-chdv-jk6d-uuga |
|
| 13 |
| vulnerability |
VCID-d13x-y75t-2ugx |
|
| 14 |
| vulnerability |
VCID-e2q6-558r-4kam |
|
| 15 |
| vulnerability |
VCID-e8w6-ax3x-wqan |
|
| 16 |
| vulnerability |
VCID-gvjg-dk1p-2uek |
|
| 17 |
| vulnerability |
VCID-jxz3-ug52-cuhn |
|
| 18 |
| vulnerability |
VCID-ktyd-dgdw-pber |
|
| 19 |
| vulnerability |
VCID-mgf4-zdnr-tba4 |
|
| 20 |
| vulnerability |
VCID-nuzy-ruzb-dke6 |
|
| 21 |
| vulnerability |
VCID-p6m6-7kgc-y3g8 |
|
| 22 |
| vulnerability |
VCID-pb6j-zdqw-g7cj |
|
| 23 |
| vulnerability |
VCID-pr2j-1118-hqaa |
|
| 24 |
| vulnerability |
VCID-q3td-7t4g-57ba |
|
| 25 |
| vulnerability |
VCID-qa31-1xtw-ybdg |
|
| 26 |
| vulnerability |
VCID-qkq6-n1ds-x7e5 |
|
| 27 |
| vulnerability |
VCID-tggj-xch8-jqcv |
|
| 28 |
| vulnerability |
VCID-u2yz-dthy-1fdr |
|
| 29 |
| vulnerability |
VCID-u6wn-nety-sbde |
|
| 30 |
| vulnerability |
VCID-u9gg-kzf2-9qap |
|
| 31 |
| vulnerability |
VCID-uk9u-nn9a-4yes |
|
| 32 |
| vulnerability |
VCID-wnj6-hc4g-ykfs |
|
| 33 |
| vulnerability |
VCID-yjn6-17qx-9ubc |
|
| 34 |
| vulnerability |
VCID-yrjg-2aw9-effx |
|
| 35 |
| vulnerability |
VCID-zudy-xe9p-3fgm |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.10.4 |
|
|
| aliases |
CVE-2019-11068, GHSA-qxcg-xjjg-66mj
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jvd7-7jes-4ffn |
|
| 32 |
| url |
VCID-jxz3-ug52-cuhn |
| vulnerability_id |
VCID-jxz3-ug52-cuhn |
| summary |
libxml2 2.9.10 has an infinite loop in a certain end-of-file situation
Nokogiri has backported the patch for CVE-2020-7595 into its vendored version
of libxml2, and released this as v1.10.8
CVE-2020-7595 has not yet been addressed in an upstream libxml2 release, and
so Nokogiri versions <= v1.10.7 are vulnerable. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
| reference_url |
https://usn.ubuntu.com/4274-1/ |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-12-03T15:33:37Z/ |
|
|
| url |
https://usn.ubuntu.com/4274-1/ |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
| 33 |
|
| 34 |
|
| 35 |
|
| 36 |
|
| 37 |
|
| 38 |
|
| 39 |
|
| 40 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/nokogiri@1.10.8 |
| purl |
pkg:gem/nokogiri@1.10.8 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1sh8-bsk3-auct |
|
| 1 |
| vulnerability |
VCID-2r85-egs8-4be3 |
|
| 2 |
| vulnerability |
VCID-4sg9-pjmx-6kfy |
|
| 3 |
| vulnerability |
VCID-5838-r3hp-wke4 |
|
| 4 |
| vulnerability |
VCID-5g9a-2484-rucp |
|
| 5 |
| vulnerability |
VCID-66gp-78uh-aqem |
|
| 6 |
| vulnerability |
VCID-67gm-m1up-gfaf |
|
| 7 |
| vulnerability |
VCID-6t8y-27ba-cfa2 |
|
| 8 |
| vulnerability |
VCID-74wj-a72v-s3gk |
|
| 9 |
| vulnerability |
VCID-aef6-wkbr-1kfb |
|
| 10 |
| vulnerability |
VCID-bgcq-x9bd-83ap |
|
| 11 |
| vulnerability |
VCID-chdv-jk6d-uuga |
|
| 12 |
| vulnerability |
VCID-d13x-y75t-2ugx |
|
| 13 |
| vulnerability |
VCID-e2q6-558r-4kam |
|
| 14 |
| vulnerability |
VCID-e8w6-ax3x-wqan |
|
| 15 |
| vulnerability |
VCID-gvjg-dk1p-2uek |
|
| 16 |
| vulnerability |
VCID-ktyd-dgdw-pber |
|
| 17 |
| vulnerability |
VCID-mgf4-zdnr-tba4 |
|
| 18 |
| vulnerability |
VCID-nuzy-ruzb-dke6 |
|
| 19 |
| vulnerability |
VCID-p6m6-7kgc-y3g8 |
|
| 20 |
| vulnerability |
VCID-pb6j-zdqw-g7cj |
|
| 21 |
| vulnerability |
VCID-pr2j-1118-hqaa |
|
| 22 |
| vulnerability |
VCID-q3td-7t4g-57ba |
|
| 23 |
| vulnerability |
VCID-qa31-1xtw-ybdg |
|
| 24 |
| vulnerability |
VCID-qkq6-n1ds-x7e5 |
|
| 25 |
| vulnerability |
VCID-tggj-xch8-jqcv |
|
| 26 |
| vulnerability |
VCID-u2yz-dthy-1fdr |
|
| 27 |
| vulnerability |
VCID-u6wn-nety-sbde |
|
| 28 |
| vulnerability |
VCID-u9gg-kzf2-9qap |
|
| 29 |
| vulnerability |
VCID-wnj6-hc4g-ykfs |
|
| 30 |
| vulnerability |
VCID-yjn6-17qx-9ubc |
|
| 31 |
| vulnerability |
VCID-yrjg-2aw9-effx |
|
| 32 |
| vulnerability |
VCID-zudy-xe9p-3fgm |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.10.8 |
|
|
| aliases |
CVE-2020-7595, GHSA-7553-jr98-vx47
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jxz3-ug52-cuhn |
|
| 33 |
| url |
VCID-ktyd-dgdw-pber |
| vulnerability_id |
VCID-ktyd-dgdw-pber |
| summary |
Improper Handling of Unexpected Data Type in Nokogiri
### Summary
Nokogiri `< v1.13.6` does not type-check all inputs into the XML and HTML4 SAX parsers.
For CRuby users, this may allow specially crafted untrusted inputs to cause illegal
memory access errors (segfault) or reads from unrelated memory.
### Severity
The Nokogiri maintainers have evaluated this as **High 8.2** (CVSS3.1).
### Mitigation
CRuby users should upgrade to Nokogiri `>= 1.13.6`.
JRuby users are not affected.
### Workarounds
To avoid this vulnerability in affected applications, ensure the untrusted input is a
`String` by calling `#to_s` or equivalent. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/nokogiri@1.13.6 |
| purl |
pkg:gem/nokogiri@1.13.6 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-5g9a-2484-rucp |
|
| 1 |
| vulnerability |
VCID-66gp-78uh-aqem |
|
| 2 |
| vulnerability |
VCID-67gm-m1up-gfaf |
|
| 3 |
| vulnerability |
VCID-chdv-jk6d-uuga |
|
| 4 |
| vulnerability |
VCID-d13x-y75t-2ugx |
|
| 5 |
| vulnerability |
VCID-e2q6-558r-4kam |
|
| 6 |
| vulnerability |
VCID-gvjg-dk1p-2uek |
|
| 7 |
| vulnerability |
VCID-mgf4-zdnr-tba4 |
|
| 8 |
| vulnerability |
VCID-p6m6-7kgc-y3g8 |
|
| 9 |
| vulnerability |
VCID-pb6j-zdqw-g7cj |
|
| 10 |
| vulnerability |
VCID-pr2j-1118-hqaa |
|
| 11 |
| vulnerability |
VCID-q3td-7t4g-57ba |
|
| 12 |
| vulnerability |
VCID-qa31-1xtw-ybdg |
|
| 13 |
| vulnerability |
VCID-u6wn-nety-sbde |
|
| 14 |
| vulnerability |
VCID-wnj6-hc4g-ykfs |
|
| 15 |
| vulnerability |
VCID-yrjg-2aw9-effx |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.13.6 |
|
|
| aliases |
CVE-2022-29181, GHSA-xh29-r2w5-wx8m
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ktyd-dgdw-pber |
|
| 34 |
| url |
VCID-m91c-mfu9-bbbh |
| vulnerability_id |
VCID-m91c-mfu9-bbbh |
| summary |
Loop with Unreachable Exit Condition ('Infinite Loop')
parser.c in libxml2 does not prevent infinite recursion in parameter entities. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
| reference_url |
https://bugzilla.gnome.org/show_bug.cgi?id=759579 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-04T13:30:08Z/ |
|
|
| url |
https://bugzilla.gnome.org/show_bug.cgi?id=759579 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
| reference_url |
https://usn.ubuntu.com/3739-1/ |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-04T13:30:08Z/ |
|
|
| url |
https://usn.ubuntu.com/3739-1/ |
|
| 15 |
|
| 16 |
| reference_url |
http://xmlsoft.org/news.html |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-04T13:30:08Z/ |
|
|
| url |
http://xmlsoft.org/news.html |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/nokogiri@1.8.1 |
| purl |
pkg:gem/nokogiri@1.8.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1sh8-bsk3-auct |
|
| 1 |
| vulnerability |
VCID-2r85-egs8-4be3 |
|
| 2 |
| vulnerability |
VCID-4sg9-pjmx-6kfy |
|
| 3 |
| vulnerability |
VCID-5838-r3hp-wke4 |
|
| 4 |
| vulnerability |
VCID-5g9a-2484-rucp |
|
| 5 |
| vulnerability |
VCID-5xuf-r7bj-33fa |
|
| 6 |
| vulnerability |
VCID-66gp-78uh-aqem |
|
| 7 |
| vulnerability |
VCID-67gm-m1up-gfaf |
|
| 8 |
| vulnerability |
VCID-6t8y-27ba-cfa2 |
|
| 9 |
| vulnerability |
VCID-74wj-a72v-s3gk |
|
| 10 |
| vulnerability |
VCID-aef6-wkbr-1kfb |
|
| 11 |
| vulnerability |
VCID-akrb-6bu8-nqfq |
|
| 12 |
| vulnerability |
VCID-bgcq-x9bd-83ap |
|
| 13 |
| vulnerability |
VCID-chdv-jk6d-uuga |
|
| 14 |
| vulnerability |
VCID-d13x-y75t-2ugx |
|
| 15 |
| vulnerability |
VCID-e2q6-558r-4kam |
|
| 16 |
| vulnerability |
VCID-e8w6-ax3x-wqan |
|
| 17 |
| vulnerability |
VCID-ft4s-195a-8fcf |
|
| 18 |
| vulnerability |
VCID-gvjg-dk1p-2uek |
|
| 19 |
| vulnerability |
VCID-gwrv-agck-yuex |
|
| 20 |
| vulnerability |
VCID-j98t-paam-97ec |
|
| 21 |
| vulnerability |
VCID-jvd7-7jes-4ffn |
|
| 22 |
| vulnerability |
VCID-jxz3-ug52-cuhn |
|
| 23 |
| vulnerability |
VCID-ktyd-dgdw-pber |
|
| 24 |
| vulnerability |
VCID-mgf4-zdnr-tba4 |
|
| 25 |
| vulnerability |
VCID-nuzy-ruzb-dke6 |
|
| 26 |
| vulnerability |
VCID-p6m6-7kgc-y3g8 |
|
| 27 |
| vulnerability |
VCID-pb6j-zdqw-g7cj |
|
| 28 |
| vulnerability |
VCID-pr2j-1118-hqaa |
|
| 29 |
| vulnerability |
VCID-q3td-7t4g-57ba |
|
| 30 |
| vulnerability |
VCID-qa31-1xtw-ybdg |
|
| 31 |
| vulnerability |
VCID-qkq6-n1ds-x7e5 |
|
| 32 |
| vulnerability |
VCID-tggj-xch8-jqcv |
|
| 33 |
| vulnerability |
VCID-u2yz-dthy-1fdr |
|
| 34 |
| vulnerability |
VCID-u6wn-nety-sbde |
|
| 35 |
| vulnerability |
VCID-u9b2-qx2j-c7by |
|
| 36 |
| vulnerability |
VCID-u9gg-kzf2-9qap |
|
| 37 |
| vulnerability |
VCID-ueh5-fv4d-a7a8 |
|
| 38 |
| vulnerability |
VCID-uk9u-nn9a-4yes |
|
| 39 |
| vulnerability |
VCID-wnj6-hc4g-ykfs |
|
| 40 |
| vulnerability |
VCID-yjn6-17qx-9ubc |
|
| 41 |
| vulnerability |
VCID-yrjg-2aw9-effx |
|
| 42 |
| vulnerability |
VCID-zudy-xe9p-3fgm |
|
| 43 |
| vulnerability |
VCID-zx33-nyvt-vbe9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.8.1 |
|
|
| aliases |
CVE-2017-16932, GHSA-x2fm-93ww-ggvx
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-m91c-mfu9-bbbh |
|
| 35 |
| url |
VCID-mgf4-zdnr-tba4 |
| vulnerability_id |
VCID-mgf4-zdnr-tba4 |
| summary |
Nokogiri XSLT transform has a memory leak
## Summary
Nokogiri's `Nokogiri::XSLT::Stylesheet#transform` leaks a small heap allocation when passed a Ruby string parameter containing a null byte.
For applications that pass attacker-controlled input through `XSLT.transform` parameters, this may be a vector for a denial of service attack against long-running processes.
## Mitigation
Upgrade to Nokogiri `>= 1.19.3`.
Users may also be able to mitigate this issue without upgrading by validating untrusted transform parameters before passing them to `Nokogiri::XSLT::Stylesheet#transform`.
## Severity
The Nokogiri maintainers have evaluated this as **Moderate Severity**, CVSS 5.3.
Each leaked allocation is approximately 24–32 bytes, so meaningful memory growth requires sustained attacker-controlled traffic at high call rates. The bug does not cause memory corruption, information disclosure, or any change in the behavior of the transform itself, and the string-handling exception is raised as expected.
Applications that do not pass raw attacker-controlled bytes to XSLT parameters are unlikely to be affected in practice.
## Resources
- [CWE-401: Missing Release of Memory after Effective Lifetime](https://cwe.mitre.org/data/definitions/401.html)
## Credit
This vulnerability was responsibly reported by @Captainjack-kor. |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-v2fc-qm4h-8hqv
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-mgf4-zdnr-tba4 |
|
| 36 |
| url |
VCID-nuzy-ruzb-dke6 |
| vulnerability_id |
VCID-nuzy-ruzb-dke6 |
| summary |
Update packaged dependency libxml2 from 2.9.10 to 2.9.12
### Summary
Nokogiri v1.11.4 updates the vendored libxml2 from v2.9.10 to v2.9.12 which addresses:
- [CVE-2019-20388](https://security.archlinux.org/CVE-2019-20388) (Medium severity)
- [CVE-2020-24977](https://security.archlinux.org/CVE-2020-24977) (Medium severity)
- [CVE-2021-3517](https://security.archlinux.org/CVE-2021-3517) (Medium severity)
- [CVE-2021-3518](https://security.archlinux.org/CVE-2021-3518) (Medium severity)
- [CVE-2021-3537](https://security.archlinux.org/CVE-2021-3537) (Low severity)
- [CVE-2021-3541](https://security.archlinux.org/CVE-2021-3541) (Low severity)
Note that two additional CVEs were addressed upstream but are not relevant to this release. [CVE-2021-3516](https://security.archlinux.org/CVE-2021-3516) via `xmllint` is not present in Nokogiri, and [CVE-2020-7595](https://security.archlinux.org/CVE-2020-7595) has been patched in Nokogiri since v1.10.8 (see #1992).
Please note that this advisory only applies to the CRuby implementation of Nokogiri `< 1.11.4`, and only if the packaged version of libxml2 is being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's `libxml2` release announcements.
### Mitigation
Upgrade to Nokogiri `>= 1.11.4`.
### Impact
I've done a brief analysis of the published CVEs that are addressed in this upstream release. The libxml2 maintainers have not released a canonical set of CVEs, and so this list is pieced together from secondary sources and may be incomplete.
All information below is sourced from [security.archlinux.org](https://security.archlinux.org), which appears to have the most up-to-date information as of this analysis.
#### [CVE-2019-20388](https://security.archlinux.org/CVE-2019-20388)
- **Severity**: Medium
- **Type**: Denial of service
- **Description**: A memory leak was found in the xmlSchemaValidateStream function of libxml2. Applications that use this library may be vulnerable to memory not being freed leading to a denial of service.
- **Fixed**: https://gitlab.gnome.org/GNOME/libxml2/commit/7ffcd44d7e6c46704f8af0321d9314cd26e0e18a
Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4.
#### [CVE-2020-7595](https://security.archlinux.org/CVE-2020-7595)
- **Severity**: Medium
- **Type**: Denial of service
- **Description**: xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation.
- **Fixed**: https://gitlab.gnome.org/GNOME/libxml2/commit/0e1a49c8907645d2e155f0d89d4d9895ac5112b5
This has been patched in Nokogiri since v1.10.8 (see #1992).
#### [CVE-2020-24977](https://security.archlinux.org/CVE-2020-24977)
- **Severity**: Medium
- **Type**: Information disclosure
- **Description**: GNOME project libxml2 <= 2.9.10 has a global buffer over-read vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c.
- **Fixed**: https://gitlab.gnome.org/GNOME/libxml2/commit/50f06b3efb638efb0abd95dc62dca05ae67882c2
Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4.
#### [CVE-2021-3516](https://security.archlinux.org/CVE-2021-3516)
- **Severity**: Medium
- **Type**: Arbitrary code execution (no remote vector)
- **Description**: A use-after-free security issue was found libxml2 before version 2.9.11 when "xmllint --html --push" is used to process crafted files.
- **Issue**: https://gitlab.gnome.org/GNOME/libxml2/-/issues/230
- **Fixed**: https://gitlab.gnome.org/GNOME/libxml2/-/commit/1358d157d0bd83be1dfe356a69213df9fac0b539
Verified that the fix commit first appears in v2.9.11. This vector does not exist within Nokogiri, which does not ship `xmllint`.
#### [CVE-2021-3517](https://security.archlinux.org/CVE-2021-3517)
- **Severity**: Medium
- **Type**: Arbitrary code execution
- **Description**: A heap-based buffer overflow was found in libxml2 before version 2.9.11 when processing truncated UTF-8 input.
- **Issue**: https://gitlab.gnome.org/GNOME/libxml2/-/issues/235
- **Fixed**: https://gitlab.gnome.org/GNOME/libxml2/-/commit/bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2
Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4.
#### [CVE-2021-3518](https://security.archlinux.org/CVE-2021-3518)
- **Severity**: Medium
- **Type**: Arbitrary code execution
- **Description**: A use-after-free security issue was found in libxml2 before version 2.9.11 in xmlXIncludeDoProcess() in xinclude.c when processing crafted files.
- **Issue**: https://gitlab.gnome.org/GNOME/libxml2/-/issues/237
- **Fixed**: https://gitlab.gnome.org/GNOME/libxml2/-/commit/1098c30a040e72a4654968547f415be4e4c40fe7
Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4.
#### [CVE-2021-3537](https://security.archlinux.org/CVE-2021-3537)
- **Severity**: Low
- **Type**: Denial of service
- **Description**: It was found that libxml2 before version 2.9.11 did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the application.
- **Issue**: https://gitlab.gnome.org/GNOME/libxml2/-/issues/243
- **Fixed**: https://gitlab.gnome.org/GNOME/libxml2/-/commit/babe75030c7f64a37826bb3342317134568bef61
Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4.
#### [CVE-2021-3541](https://security.archlinux.org/CVE-2021-3541)
- **Severity**: Low
- **Type**: Denial of service
- **Description**: A security issue was found in libxml2 before version 2.9.11. Exponential entity expansion attack its possible bypassing all existing protection mechanisms and leading to denial of service.
- **Fixed**: https://gitlab.gnome.org/GNOME/libxml2/-/commit/8598060bacada41a0eb09d95c97744ff4e428f8e
Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4, however Nokogiri's default parse options prevent the attack from succeeding (it is necessary to opt into `DTDLOAD` which is off by default).
For more details supporting this analysis of this CVE, please visit #2233. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:gem/nokogiri@1.11.4 |
| purl |
pkg:gem/nokogiri@1.11.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-5838-r3hp-wke4 |
|
| 1 |
| vulnerability |
VCID-5g9a-2484-rucp |
|
| 2 |
| vulnerability |
VCID-66gp-78uh-aqem |
|
| 3 |
| vulnerability |
VCID-67gm-m1up-gfaf |
|
| 4 |
| vulnerability |
VCID-74wj-a72v-s3gk |
|
| 5 |
| vulnerability |
VCID-aef6-wkbr-1kfb |
|
| 6 |
| vulnerability |
VCID-bgcq-x9bd-83ap |
|
| 7 |
| vulnerability |
VCID-chdv-jk6d-uuga |
|
| 8 |
| vulnerability |
VCID-d13x-y75t-2ugx |
|
| 9 |
| vulnerability |
VCID-e2q6-558r-4kam |
|
| 10 |
| vulnerability |
VCID-gvjg-dk1p-2uek |
|
| 11 |
| vulnerability |
VCID-ktyd-dgdw-pber |
|
| 12 |
| vulnerability |
VCID-mgf4-zdnr-tba4 |
|
| 13 |
| vulnerability |
VCID-p6m6-7kgc-y3g8 |
|
| 14 |
| vulnerability |
VCID-pb6j-zdqw-g7cj |
|
| 15 |
| vulnerability |
VCID-pr2j-1118-hqaa |
|
| 16 |
| vulnerability |
VCID-q3td-7t4g-57ba |
|
| 17 |
| vulnerability |
VCID-qa31-1xtw-ybdg |
|
| 18 |
| vulnerability |
VCID-qkq6-n1ds-x7e5 |
|
| 19 |
| vulnerability |
VCID-tggj-xch8-jqcv |
|
| 20 |
| vulnerability |
VCID-u2yz-dthy-1fdr |
|
| 21 |
| vulnerability |
VCID-u6wn-nety-sbde |
|
| 22 |
| vulnerability |
VCID-u9gg-kzf2-9qap |
|
| 23 |
| vulnerability |
VCID-wnj6-hc4g-ykfs |
|
| 24 |
| vulnerability |
VCID-yrjg-2aw9-effx |
|
| 25 |
| vulnerability |
VCID-zudy-xe9p-3fgm |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.11.4 |
|
|
| aliases |
GHSA-7rrm-v45f-jp64, GMS-2021-171
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-nuzy-ruzb-dke6 |
|
| 37 |
|
| 38 |
| url |
VCID-pb6j-zdqw-g7cj |
| vulnerability_id |
VCID-pb6j-zdqw-g7cj |
| summary |
Nokogiri patches vendored libxml2 to resolve multiple CVEs
## Summary
Nokogiri v1.18.9 patches the vendored libxml2 to address
CVE-2025-6021, CVE-2025-6170, CVE-2025-49794, CVE-2025-49795,
and CVE-2025-49796.
## Impact and severity
### CVE-2025-6021
A flaw was found in libxml2's xmlBuildQName function, where integer
overflows in buffer size calculations can lead to a stack-based
buffer overflow. This issue can result in memory corruption or a
denial of service when processing crafted input.
NVD claims a severity of 7.5 High
(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Fixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/17d950ae
### CVE-2025-6170
A flaw was found in the interactive shell of the xmllint command-line
tool, used for parsing XML files. When a user inputs an overly long
command, the program does not check the input size properly, which
can cause it to crash. This issue might allow attackers to run
harmful code in rare configurations without modern protections.
NVD claims a severity of 2.5 Low
(CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)
Fixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/5e9ec5c1
### CVE-2025-49794
A use-after-free vulnerability was found in libxml2. This issue
occurs when parsing XPath elements under certain circumstances when
the XML schematron has the <sch:name path="..."/> schema elements.
This flaw allows a malicious actor to craft a malicious XML document
used as input for libxml, resulting in the program's crash using
libxml or other possible undefined behaviors.
NVD claims a severity of 9.1 Critical
(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H)
Fixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/81cef8c5
### CVE-2025-49795
A NULL pointer dereference vulnerability was found in libxml2 when
processing XPath XML expressions. This flaw allows an attacker to
craft a malicious XML input to libxml2, leading to a denial of service.
NVD claims a severity of 7.5 High
(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Fixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/62048278
### CVE-2025-49796
A vulnerability was found in libxml2. Processing certain sch:name
elements from the input XML file can trigger a memory corruption
issue. This flaw allows an attacker to craft a malicious XML input
file that can lead libxml to crash, resulting in a denial of service
or other possible undefined behavior due to sensitive data being
corrupted in memory.
NVD claims a severity of 9.1 Critical
(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H)
Fixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/81cef8c5
## Affected Versions
- Nokogiri < 1.18.9 when using CRuby (MRI) with vendored libxml2
## Patched Versions
- Nokogiri >= 1.18.9
## Mitigation
Upgrade to Nokogiri v1.18.9 or later.
Users who are unable to upgrade Nokogiri may also choose a more
complicated mitigation: compile and link Nokogiri against patched
external libxml2 libraries which will also address these same issues. |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-353f-x4gh-cqq8
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-pb6j-zdqw-g7cj |
|
| 39 |
| url |
VCID-pr2j-1118-hqaa |
| vulnerability_id |
VCID-pr2j-1118-hqaa |
| summary |
Update bundled libxml2 to v2.10.3 to resolve multiple CVEs
### Summary
Nokogiri v1.13.9 upgrades the packaged version of its dependency libxml2 to
[v2.10.3](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.10.3) from
v2.9.14.
libxml2 v2.10.3 addresses the following known vulnerabilities:
- [CVE-2022-2309](https://nvd.nist.gov/vuln/detail/CVE-2022-2309)
- [CVE-2022-40304](https://nvd.nist.gov/vuln/detail/CVE-2022-40304)
- [CVE-2022-40303](https://nvd.nist.gov/vuln/detail/CVE-2022-40303)
Please note that this advisory only applies to the CRuby implementation of
Nokogiri `< 1.13.9`, and only if the _packaged_ libraries are being used. If
you've overridden defaults at installation time to use _system_ libraries
instead of packaged libraries, you should instead pay attention to your
distro's `libxml2` release announcements.
### Mitigation
Upgrade to Nokogiri `>= 1.13.9`.
Users who are unable to upgrade Nokogiri may also choose a more complicated
mitigation: compile and link Nokogiri against external libraries libxml2
`>= 2.10.3` which will also address these same issues.
### Impact
#### libxml2 [CVE-2022-2309](https://nvd.nist.gov/vuln/detail/CVE-2022-2309)
- **CVSS3 score**: Under evaluation
- **Type**: Denial of service
- **Description**: NULL Pointer Dereference allows attackers to cause a denial
of service (or application crash). This only applies when lxml is used
together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not
affected. It allows triggering crashes through forged input data, given a
vulnerable code sequence in the application. The vulnerability is caused by
the iterwalk function (also used by the canonicalize function). Such code
shouldn't be in wide-spread use, given that parsing + iterwalk would usually
be replaced with the more efficient iterparse function. However, an XML
converter that serialises to C14N would also be vulnerable, for example, and
there are legitimate use cases for this code sequence. If untrusted input is
received (also remotely) and processed via iterwalk function, a crash can be
triggered.
Nokogiri maintainers investigated at #2620 and determined this CVE does not
affect Nokogiri users.
#### libxml2 [CVE-2022-40304](https://nvd.nist.gov/vuln/detail/CVE-2022-40304)
- **CVSS3 score**: Unspecified upstream
- **Type**: Data corruption, denial of service
- **Description**: When an entity reference cycle is detected, the entity
content is cleared by setting its first byte to zero. But the entity content
might be allocated from a dict. In this case, the dict entry becomes corrupted
leading to all kinds of logic errors, including memory errors like
double-frees.
See https://gitlab.gnome.org/GNOME/libxml2/-/commit/644a89e080bced793295f61f18aac8cfad6bece2
#### libxml2 [CVE-2022-40303](https://nvd.nist.gov/vuln/detail/CVE-2022-40303)
- **CVSS3 score**: Unspecified upstream
- **Type**: Integer overflow
- **Description**: Integer overflows with XML_PARSE_HUGE
See https://gitlab.gnome.org/GNOME/libxml2/-/commit/c846986356fc149915a74972bf198abc266bc2c0 |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:gem/nokogiri@1.13.9 |
| purl |
pkg:gem/nokogiri@1.13.9 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-66gp-78uh-aqem |
|
| 1 |
| vulnerability |
VCID-67gm-m1up-gfaf |
|
| 2 |
| vulnerability |
VCID-chdv-jk6d-uuga |
|
| 3 |
| vulnerability |
VCID-d13x-y75t-2ugx |
|
| 4 |
| vulnerability |
VCID-e2q6-558r-4kam |
|
| 5 |
| vulnerability |
VCID-gvjg-dk1p-2uek |
|
| 6 |
| vulnerability |
VCID-mgf4-zdnr-tba4 |
|
| 7 |
| vulnerability |
VCID-p6m6-7kgc-y3g8 |
|
| 8 |
| vulnerability |
VCID-pb6j-zdqw-g7cj |
|
| 9 |
| vulnerability |
VCID-q3td-7t4g-57ba |
|
| 10 |
| vulnerability |
VCID-qhx2-j1jc-cyev |
|
| 11 |
| vulnerability |
VCID-u6wn-nety-sbde |
|
| 12 |
| vulnerability |
VCID-wnj6-hc4g-ykfs |
|
| 13 |
| vulnerability |
VCID-yrjg-2aw9-effx |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.13.9 |
|
|
| aliases |
GHSA-2qc6-mcvw-92cw, GMS-2022-5550
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-pr2j-1118-hqaa |
|
| 40 |
| url |
VCID-q3td-7t4g-57ba |
| vulnerability_id |
VCID-q3td-7t4g-57ba |
| summary |
Nokogiri updates packaged libxml2 to v2.12.7 to resolve CVE-2024-34459
## Summary
Nokogiri v1.16.5 upgrades its dependency libxml2 to
[2.12.7](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7) from 2.12.6.
libxml2 v2.12.7 addresses CVE-2024-34459:
- described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/720
- patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/2876ac53
## Impact
There is no impact to Nokogiri users because the issue is present only
in libxml2's `xmllint` tool which Nokogiri does not provide or expose.
## Timeline
- 2024-05-13 05:57 EDT, libxml2 2.12.7 release is announced
- 2024-05-13 08:30 EDT, nokogiri maintainers begin triage
- 2024-05-13 10:05 EDT, nokogiri [v1.16.5 is released](https://github.com/sparklemotion/nokogiri/releases/tag/v1.16.5)
and this GHSA made public |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-r95h-9x8f-r3f7
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-q3td-7t4g-57ba |
|
| 41 |
| url |
VCID-qa31-1xtw-ybdg |
| vulnerability_id |
VCID-qa31-1xtw-ybdg |
| summary |
An issue was discovered in libxml2 before 2.10.3. When parsing a multi-gigabyte XML document with the XML_PARSE_HUGE parser option enabled, several integer counters can overflow. This results in an attempt to access an array at a negative 2GB offset, typically leading to a segmentation fault. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/nokogiri@1.13.9 |
| purl |
pkg:gem/nokogiri@1.13.9 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-66gp-78uh-aqem |
|
| 1 |
| vulnerability |
VCID-67gm-m1up-gfaf |
|
| 2 |
| vulnerability |
VCID-chdv-jk6d-uuga |
|
| 3 |
| vulnerability |
VCID-d13x-y75t-2ugx |
|
| 4 |
| vulnerability |
VCID-e2q6-558r-4kam |
|
| 5 |
| vulnerability |
VCID-gvjg-dk1p-2uek |
|
| 6 |
| vulnerability |
VCID-mgf4-zdnr-tba4 |
|
| 7 |
| vulnerability |
VCID-p6m6-7kgc-y3g8 |
|
| 8 |
| vulnerability |
VCID-pb6j-zdqw-g7cj |
|
| 9 |
| vulnerability |
VCID-q3td-7t4g-57ba |
|
| 10 |
| vulnerability |
VCID-qhx2-j1jc-cyev |
|
| 11 |
| vulnerability |
VCID-u6wn-nety-sbde |
|
| 12 |
| vulnerability |
VCID-wnj6-hc4g-ykfs |
|
| 13 |
| vulnerability |
VCID-yrjg-2aw9-effx |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.13.9 |
|
|
| aliases |
CVE-2022-40303
|
| risk_score |
3.4 |
| exploitability |
0.5 |
| weighted_severity |
6.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qa31-1xtw-ybdg |
|
| 42 |
| url |
VCID-qkq6-n1ds-x7e5 |
| vulnerability_id |
VCID-qkq6-n1ds-x7e5 |
| summary |
Inefficient Regular Expression Complexity
Nokogiri is an open source XML and HTML library for Ruby. Nokogiri `< v1.13.4` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Users are advised to upgrade to Nokogiri `>= 1.13.4`. There are no known workarounds for this issue. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/nokogiri@1.13.4 |
| purl |
pkg:gem/nokogiri@1.13.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-5838-r3hp-wke4 |
|
| 1 |
| vulnerability |
VCID-5g9a-2484-rucp |
|
| 2 |
| vulnerability |
VCID-66gp-78uh-aqem |
|
| 3 |
| vulnerability |
VCID-67gm-m1up-gfaf |
|
| 4 |
| vulnerability |
VCID-chdv-jk6d-uuga |
|
| 5 |
| vulnerability |
VCID-d13x-y75t-2ugx |
|
| 6 |
| vulnerability |
VCID-e2q6-558r-4kam |
|
| 7 |
| vulnerability |
VCID-gvjg-dk1p-2uek |
|
| 8 |
| vulnerability |
VCID-ktyd-dgdw-pber |
|
| 9 |
| vulnerability |
VCID-mgf4-zdnr-tba4 |
|
| 10 |
| vulnerability |
VCID-p6m6-7kgc-y3g8 |
|
| 11 |
| vulnerability |
VCID-pb6j-zdqw-g7cj |
|
| 12 |
| vulnerability |
VCID-pr2j-1118-hqaa |
|
| 13 |
| vulnerability |
VCID-q3td-7t4g-57ba |
|
| 14 |
| vulnerability |
VCID-qa31-1xtw-ybdg |
|
| 15 |
| vulnerability |
VCID-u6wn-nety-sbde |
|
| 16 |
| vulnerability |
VCID-wnj6-hc4g-ykfs |
|
| 17 |
| vulnerability |
VCID-yrjg-2aw9-effx |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.13.4 |
|
|
| aliases |
CVE-2022-24836, GHSA-crjr-9rc5-ghw8
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qkq6-n1ds-x7e5 |
|
| 43 |
| url |
VCID-tggj-xch8-jqcv |
| vulnerability_id |
VCID-tggj-xch8-jqcv |
| summary |
XML Injection in Xerces Java affects Nokogiri
## Summary
Nokogiri v1.13.4 updates the vendored `xerces:xercesImpl` from 2.12.0 to 2.12.2, which addresses [CVE-2022-23437](https://nvd.nist.gov/vuln/detail/CVE-2022-23437). That CVE is scored as CVSS 6.5 "Medium" on the NVD record.
Please note that this advisory only applies to the **JRuby** implementation of Nokogiri `< 1.13.4`.
## Mitigation
Upgrade to Nokogiri `>= v1.13.4`.
## Impact
### [CVE-2022-23437](https://nvd.nist.gov/vuln/detail/CVE-2022-23437) in xerces-J
- **Severity**: Medium
- **Type**: [CWE-91](https://cwe.mitre.org/data/definitions/91.html) XML Injection (aka Blind XPath Injection)
- **Description**: There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.
- **See also**: https://github.com/advisories/GHSA-h65f-jvqw-m9fj |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:gem/nokogiri@1.13.4 |
| purl |
pkg:gem/nokogiri@1.13.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-5838-r3hp-wke4 |
|
| 1 |
| vulnerability |
VCID-5g9a-2484-rucp |
|
| 2 |
| vulnerability |
VCID-66gp-78uh-aqem |
|
| 3 |
| vulnerability |
VCID-67gm-m1up-gfaf |
|
| 4 |
| vulnerability |
VCID-chdv-jk6d-uuga |
|
| 5 |
| vulnerability |
VCID-d13x-y75t-2ugx |
|
| 6 |
| vulnerability |
VCID-e2q6-558r-4kam |
|
| 7 |
| vulnerability |
VCID-gvjg-dk1p-2uek |
|
| 8 |
| vulnerability |
VCID-ktyd-dgdw-pber |
|
| 9 |
| vulnerability |
VCID-mgf4-zdnr-tba4 |
|
| 10 |
| vulnerability |
VCID-p6m6-7kgc-y3g8 |
|
| 11 |
| vulnerability |
VCID-pb6j-zdqw-g7cj |
|
| 12 |
| vulnerability |
VCID-pr2j-1118-hqaa |
|
| 13 |
| vulnerability |
VCID-q3td-7t4g-57ba |
|
| 14 |
| vulnerability |
VCID-qa31-1xtw-ybdg |
|
| 15 |
| vulnerability |
VCID-u6wn-nety-sbde |
|
| 16 |
| vulnerability |
VCID-wnj6-hc4g-ykfs |
|
| 17 |
| vulnerability |
VCID-yrjg-2aw9-effx |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.13.4 |
|
|
| aliases |
GHSA-xxx9-3xcr-gjj3, GMS-2022-788
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-tggj-xch8-jqcv |
|
| 44 |
| url |
VCID-u2yz-dthy-1fdr |
| vulnerability_id |
VCID-u2yz-dthy-1fdr |
| summary |
Denial of Service (DoS) in Nokogiri on JRuby
## Summary
Nokogiri `v1.13.4` updates the vendored `org.cyberneko.html` library to `1.9.22.noko2` which addresses [CVE-2022-24839](https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv). That CVE is rated 7.5 (High Severity).
See [GHSA-9849-p7jc-9rmv](https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv) for more information.
Please note that this advisory only applies to the **JRuby** implementation of Nokogiri `< 1.13.4`.
## Mitigation
Upgrade to Nokogiri `>= 1.13.4`.
## Impact
### [CVE-2022-24839](https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv) in nekohtml
- **Severity**: High 7.5
- **Type**: [CWE-400](https://cwe.mitre.org/data/definitions/400.html) Uncontrolled Resource Consumption
- **Description**: The fork of `org.cyberneko.html` used by Nokogiri (Rubygem) raises a `java.lang.OutOfMemoryError` exception when parsing ill-formed HTML markup.
- **See also**: [GHSA-9849-p7jc-9rmv](https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv) |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:gem/nokogiri@1.13.4 |
| purl |
pkg:gem/nokogiri@1.13.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-5838-r3hp-wke4 |
|
| 1 |
| vulnerability |
VCID-5g9a-2484-rucp |
|
| 2 |
| vulnerability |
VCID-66gp-78uh-aqem |
|
| 3 |
| vulnerability |
VCID-67gm-m1up-gfaf |
|
| 4 |
| vulnerability |
VCID-chdv-jk6d-uuga |
|
| 5 |
| vulnerability |
VCID-d13x-y75t-2ugx |
|
| 6 |
| vulnerability |
VCID-e2q6-558r-4kam |
|
| 7 |
| vulnerability |
VCID-gvjg-dk1p-2uek |
|
| 8 |
| vulnerability |
VCID-ktyd-dgdw-pber |
|
| 9 |
| vulnerability |
VCID-mgf4-zdnr-tba4 |
|
| 10 |
| vulnerability |
VCID-p6m6-7kgc-y3g8 |
|
| 11 |
| vulnerability |
VCID-pb6j-zdqw-g7cj |
|
| 12 |
| vulnerability |
VCID-pr2j-1118-hqaa |
|
| 13 |
| vulnerability |
VCID-q3td-7t4g-57ba |
|
| 14 |
| vulnerability |
VCID-qa31-1xtw-ybdg |
|
| 15 |
| vulnerability |
VCID-u6wn-nety-sbde |
|
| 16 |
| vulnerability |
VCID-wnj6-hc4g-ykfs |
|
| 17 |
| vulnerability |
VCID-yrjg-2aw9-effx |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.13.4 |
|
|
| aliases |
GHSA-gx8x-g87m-h5q6, GMS-2022-786
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-u2yz-dthy-1fdr |
|
| 45 |
| url |
VCID-u6wn-nety-sbde |
| vulnerability_id |
VCID-u6wn-nety-sbde |
| summary |
Nokogiri updates packaged libxslt to v1.1.43 to resolve multiple CVEs
## Summary
Nokogiri v1.18.4 upgrades its dependency libxslt to
[v1.1.43](https://gitlab.gnome.org/GNOME/libxslt/-/releases/v1.1.43).
libxslt v1.1.43 resolves:
- CVE-2025-24855: Fix use-after-free of XPath context node
- CVE-2024-55549: Fix UAF related to excluded namespaces
## Impact
### CVE-2025-24855
- "Use-after-free due to xsltEvalXPathStringNs leaking xpathCtxt->node"
- MITRE has rated this 7.8 High CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H
- Upstream report: https://gitlab.gnome.org/GNOME/libxslt/-/issues/128
- NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2025-24855
### CVE-2024-55549
- "Use-after-free related to excluded result prefixes"
- MITRE has rated this 7.8 High CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H
- Upstream report: https://gitlab.gnome.org/GNOME/libxslt/-/issues/127
- NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2024-55549 |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-mrxw-mxhj-p664
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-u6wn-nety-sbde |
|
| 46 |
| url |
VCID-u9b2-qx2j-c7by |
| vulnerability_id |
VCID-u9b2-qx2j-c7by |
| summary |
multiple issues |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
| 33 |
|
| 34 |
|
| 35 |
|
| 36 |
|
| 37 |
|
| 38 |
|
| 39 |
|
| 40 |
|
| 41 |
|
| 42 |
|
| 43 |
|
| 44 |
|
| 45 |
|
| 46 |
|
| 47 |
|
| 48 |
|
| 49 |
|
| 50 |
|
| 51 |
|
| 52 |
|
| 53 |
|
| 54 |
|
| 55 |
|
| 56 |
|
| 57 |
|
| 58 |
|
| 59 |
|
| 60 |
|
| 61 |
|
| 62 |
|
| 63 |
|
| 64 |
|
| 65 |
|
| 66 |
|
| 67 |
|
| 68 |
|
| 69 |
|
| 70 |
|
| 71 |
|
| 72 |
|
| 73 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/nokogiri@1.10.4 |
| purl |
pkg:gem/nokogiri@1.10.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1sh8-bsk3-auct |
|
| 1 |
| vulnerability |
VCID-2r85-egs8-4be3 |
|
| 2 |
| vulnerability |
VCID-4sg9-pjmx-6kfy |
|
| 3 |
| vulnerability |
VCID-5838-r3hp-wke4 |
|
| 4 |
| vulnerability |
VCID-5g9a-2484-rucp |
|
| 5 |
| vulnerability |
VCID-5xuf-r7bj-33fa |
|
| 6 |
| vulnerability |
VCID-66gp-78uh-aqem |
|
| 7 |
| vulnerability |
VCID-67gm-m1up-gfaf |
|
| 8 |
| vulnerability |
VCID-6t8y-27ba-cfa2 |
|
| 9 |
| vulnerability |
VCID-74wj-a72v-s3gk |
|
| 10 |
| vulnerability |
VCID-aef6-wkbr-1kfb |
|
| 11 |
| vulnerability |
VCID-bgcq-x9bd-83ap |
|
| 12 |
| vulnerability |
VCID-chdv-jk6d-uuga |
|
| 13 |
| vulnerability |
VCID-d13x-y75t-2ugx |
|
| 14 |
| vulnerability |
VCID-e2q6-558r-4kam |
|
| 15 |
| vulnerability |
VCID-e8w6-ax3x-wqan |
|
| 16 |
| vulnerability |
VCID-gvjg-dk1p-2uek |
|
| 17 |
| vulnerability |
VCID-jxz3-ug52-cuhn |
|
| 18 |
| vulnerability |
VCID-ktyd-dgdw-pber |
|
| 19 |
| vulnerability |
VCID-mgf4-zdnr-tba4 |
|
| 20 |
| vulnerability |
VCID-nuzy-ruzb-dke6 |
|
| 21 |
| vulnerability |
VCID-p6m6-7kgc-y3g8 |
|
| 22 |
| vulnerability |
VCID-pb6j-zdqw-g7cj |
|
| 23 |
| vulnerability |
VCID-pr2j-1118-hqaa |
|
| 24 |
| vulnerability |
VCID-q3td-7t4g-57ba |
|
| 25 |
| vulnerability |
VCID-qa31-1xtw-ybdg |
|
| 26 |
| vulnerability |
VCID-qkq6-n1ds-x7e5 |
|
| 27 |
| vulnerability |
VCID-tggj-xch8-jqcv |
|
| 28 |
| vulnerability |
VCID-u2yz-dthy-1fdr |
|
| 29 |
| vulnerability |
VCID-u6wn-nety-sbde |
|
| 30 |
| vulnerability |
VCID-u9gg-kzf2-9qap |
|
| 31 |
| vulnerability |
VCID-uk9u-nn9a-4yes |
|
| 32 |
| vulnerability |
VCID-wnj6-hc4g-ykfs |
|
| 33 |
| vulnerability |
VCID-yjn6-17qx-9ubc |
|
| 34 |
| vulnerability |
VCID-yrjg-2aw9-effx |
|
| 35 |
| vulnerability |
VCID-zudy-xe9p-3fgm |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.10.4 |
|
| 1 |
| url |
pkg:gem/nokogiri@1.10.5 |
| purl |
pkg:gem/nokogiri@1.10.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1sh8-bsk3-auct |
|
| 1 |
| vulnerability |
VCID-2r85-egs8-4be3 |
|
| 2 |
| vulnerability |
VCID-4sg9-pjmx-6kfy |
|
| 3 |
| vulnerability |
VCID-5838-r3hp-wke4 |
|
| 4 |
| vulnerability |
VCID-5g9a-2484-rucp |
|
| 5 |
| vulnerability |
VCID-66gp-78uh-aqem |
|
| 6 |
| vulnerability |
VCID-67gm-m1up-gfaf |
|
| 7 |
| vulnerability |
VCID-6t8y-27ba-cfa2 |
|
| 8 |
| vulnerability |
VCID-74wj-a72v-s3gk |
|
| 9 |
| vulnerability |
VCID-aef6-wkbr-1kfb |
|
| 10 |
| vulnerability |
VCID-bgcq-x9bd-83ap |
|
| 11 |
| vulnerability |
VCID-chdv-jk6d-uuga |
|
| 12 |
| vulnerability |
VCID-d13x-y75t-2ugx |
|
| 13 |
| vulnerability |
VCID-e2q6-558r-4kam |
|
| 14 |
| vulnerability |
VCID-e8w6-ax3x-wqan |
|
| 15 |
| vulnerability |
VCID-gvjg-dk1p-2uek |
|
| 16 |
| vulnerability |
VCID-jxz3-ug52-cuhn |
|
| 17 |
| vulnerability |
VCID-ktyd-dgdw-pber |
|
| 18 |
| vulnerability |
VCID-mgf4-zdnr-tba4 |
|
| 19 |
| vulnerability |
VCID-nuzy-ruzb-dke6 |
|
| 20 |
| vulnerability |
VCID-p6m6-7kgc-y3g8 |
|
| 21 |
| vulnerability |
VCID-pb6j-zdqw-g7cj |
|
| 22 |
| vulnerability |
VCID-pr2j-1118-hqaa |
|
| 23 |
| vulnerability |
VCID-q3td-7t4g-57ba |
|
| 24 |
| vulnerability |
VCID-qa31-1xtw-ybdg |
|
| 25 |
| vulnerability |
VCID-qkq6-n1ds-x7e5 |
|
| 26 |
| vulnerability |
VCID-tggj-xch8-jqcv |
|
| 27 |
| vulnerability |
VCID-u2yz-dthy-1fdr |
|
| 28 |
| vulnerability |
VCID-u6wn-nety-sbde |
|
| 29 |
| vulnerability |
VCID-u9gg-kzf2-9qap |
|
| 30 |
| vulnerability |
VCID-wnj6-hc4g-ykfs |
|
| 31 |
| vulnerability |
VCID-yjn6-17qx-9ubc |
|
| 32 |
| vulnerability |
VCID-yrjg-2aw9-effx |
|
| 33 |
| vulnerability |
VCID-zudy-xe9p-3fgm |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.10.5 |
|
|
| aliases |
CVE-2019-5815, GHSA-vmfx-gcfq-wvm2
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-u9b2-qx2j-c7by |
|
| 47 |
| url |
VCID-u9gg-kzf2-9qap |
| vulnerability_id |
VCID-u9gg-kzf2-9qap |
| summary |
xml external entity injection |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:gem/nokogiri@1.12.5 |
| purl |
pkg:gem/nokogiri@1.12.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-5838-r3hp-wke4 |
|
| 1 |
| vulnerability |
VCID-5g9a-2484-rucp |
|
| 2 |
| vulnerability |
VCID-66gp-78uh-aqem |
|
| 3 |
| vulnerability |
VCID-67gm-m1up-gfaf |
|
| 4 |
| vulnerability |
VCID-74wj-a72v-s3gk |
|
| 5 |
| vulnerability |
VCID-aef6-wkbr-1kfb |
|
| 6 |
| vulnerability |
VCID-bgcq-x9bd-83ap |
|
| 7 |
| vulnerability |
VCID-chdv-jk6d-uuga |
|
| 8 |
| vulnerability |
VCID-d13x-y75t-2ugx |
|
| 9 |
| vulnerability |
VCID-e2q6-558r-4kam |
|
| 10 |
| vulnerability |
VCID-gvjg-dk1p-2uek |
|
| 11 |
| vulnerability |
VCID-ktyd-dgdw-pber |
|
| 12 |
| vulnerability |
VCID-mgf4-zdnr-tba4 |
|
| 13 |
| vulnerability |
VCID-p6m6-7kgc-y3g8 |
|
| 14 |
| vulnerability |
VCID-pb6j-zdqw-g7cj |
|
| 15 |
| vulnerability |
VCID-pr2j-1118-hqaa |
|
| 16 |
| vulnerability |
VCID-q3td-7t4g-57ba |
|
| 17 |
| vulnerability |
VCID-qa31-1xtw-ybdg |
|
| 18 |
| vulnerability |
VCID-qkq6-n1ds-x7e5 |
|
| 19 |
| vulnerability |
VCID-tggj-xch8-jqcv |
|
| 20 |
| vulnerability |
VCID-u2yz-dthy-1fdr |
|
| 21 |
| vulnerability |
VCID-u6wn-nety-sbde |
|
| 22 |
| vulnerability |
VCID-wnj6-hc4g-ykfs |
|
| 23 |
| vulnerability |
VCID-yrjg-2aw9-effx |
|
| 24 |
| vulnerability |
VCID-zudy-xe9p-3fgm |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.12.5 |
|
|
| aliases |
CVE-2021-41098, GHSA-2rr5-8q37-2w7h
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-u9gg-kzf2-9qap |
|
| 48 |
| url |
VCID-ueh5-fv4d-a7a8 |
| vulnerability_id |
VCID-ueh5-fv4d-a7a8 |
| summary |
multiple issues |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://crbug.com/727039 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://crbug.com/727039 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/nokogiri@1.8.2 |
| purl |
pkg:gem/nokogiri@1.8.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1sh8-bsk3-auct |
|
| 1 |
| vulnerability |
VCID-2r85-egs8-4be3 |
|
| 2 |
| vulnerability |
VCID-4sg9-pjmx-6kfy |
|
| 3 |
| vulnerability |
VCID-5838-r3hp-wke4 |
|
| 4 |
| vulnerability |
VCID-5g9a-2484-rucp |
|
| 5 |
| vulnerability |
VCID-5xuf-r7bj-33fa |
|
| 6 |
| vulnerability |
VCID-66gp-78uh-aqem |
|
| 7 |
| vulnerability |
VCID-67gm-m1up-gfaf |
|
| 8 |
| vulnerability |
VCID-6t8y-27ba-cfa2 |
|
| 9 |
| vulnerability |
VCID-74wj-a72v-s3gk |
|
| 10 |
| vulnerability |
VCID-aef6-wkbr-1kfb |
|
| 11 |
| vulnerability |
VCID-akrb-6bu8-nqfq |
|
| 12 |
| vulnerability |
VCID-bgcq-x9bd-83ap |
|
| 13 |
| vulnerability |
VCID-chdv-jk6d-uuga |
|
| 14 |
| vulnerability |
VCID-d13x-y75t-2ugx |
|
| 15 |
| vulnerability |
VCID-e2q6-558r-4kam |
|
| 16 |
| vulnerability |
VCID-e8w6-ax3x-wqan |
|
| 17 |
| vulnerability |
VCID-ft4s-195a-8fcf |
|
| 18 |
| vulnerability |
VCID-gvjg-dk1p-2uek |
|
| 19 |
| vulnerability |
VCID-gwrv-agck-yuex |
|
| 20 |
| vulnerability |
VCID-jvd7-7jes-4ffn |
|
| 21 |
| vulnerability |
VCID-jxz3-ug52-cuhn |
|
| 22 |
| vulnerability |
VCID-ktyd-dgdw-pber |
|
| 23 |
| vulnerability |
VCID-mgf4-zdnr-tba4 |
|
| 24 |
| vulnerability |
VCID-nuzy-ruzb-dke6 |
|
| 25 |
| vulnerability |
VCID-p6m6-7kgc-y3g8 |
|
| 26 |
| vulnerability |
VCID-pb6j-zdqw-g7cj |
|
| 27 |
| vulnerability |
VCID-pr2j-1118-hqaa |
|
| 28 |
| vulnerability |
VCID-q3td-7t4g-57ba |
|
| 29 |
| vulnerability |
VCID-qa31-1xtw-ybdg |
|
| 30 |
| vulnerability |
VCID-qkq6-n1ds-x7e5 |
|
| 31 |
| vulnerability |
VCID-tggj-xch8-jqcv |
|
| 32 |
| vulnerability |
VCID-u2yz-dthy-1fdr |
|
| 33 |
| vulnerability |
VCID-u6wn-nety-sbde |
|
| 34 |
| vulnerability |
VCID-u9b2-qx2j-c7by |
|
| 35 |
| vulnerability |
VCID-u9gg-kzf2-9qap |
|
| 36 |
| vulnerability |
VCID-uk9u-nn9a-4yes |
|
| 37 |
| vulnerability |
VCID-wnj6-hc4g-ykfs |
|
| 38 |
| vulnerability |
VCID-yjn6-17qx-9ubc |
|
| 39 |
| vulnerability |
VCID-yrjg-2aw9-effx |
|
| 40 |
| vulnerability |
VCID-zudy-xe9p-3fgm |
|
| 41 |
| vulnerability |
VCID-zx33-nyvt-vbe9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.8.2 |
|
|
| aliases |
CVE-2017-15412, GHSA-r58r-74gx-6wx3
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ueh5-fv4d-a7a8 |
|
| 49 |
| url |
VCID-uk9u-nn9a-4yes |
| vulnerability_id |
VCID-uk9u-nn9a-4yes |
| summary |
multiple issues |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
| reference_url |
https://usn.ubuntu.com/4164-1/ |
| reference_id |
4164-1 |
| reference_type |
|
| scores |
| 0 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-28T18:27:54Z/ |
|
|
| url |
https://usn.ubuntu.com/4164-1/ |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/nokogiri@1.10.5 |
| purl |
pkg:gem/nokogiri@1.10.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1sh8-bsk3-auct |
|
| 1 |
| vulnerability |
VCID-2r85-egs8-4be3 |
|
| 2 |
| vulnerability |
VCID-4sg9-pjmx-6kfy |
|
| 3 |
| vulnerability |
VCID-5838-r3hp-wke4 |
|
| 4 |
| vulnerability |
VCID-5g9a-2484-rucp |
|
| 5 |
| vulnerability |
VCID-66gp-78uh-aqem |
|
| 6 |
| vulnerability |
VCID-67gm-m1up-gfaf |
|
| 7 |
| vulnerability |
VCID-6t8y-27ba-cfa2 |
|
| 8 |
| vulnerability |
VCID-74wj-a72v-s3gk |
|
| 9 |
| vulnerability |
VCID-aef6-wkbr-1kfb |
|
| 10 |
| vulnerability |
VCID-bgcq-x9bd-83ap |
|
| 11 |
| vulnerability |
VCID-chdv-jk6d-uuga |
|
| 12 |
| vulnerability |
VCID-d13x-y75t-2ugx |
|
| 13 |
| vulnerability |
VCID-e2q6-558r-4kam |
|
| 14 |
| vulnerability |
VCID-e8w6-ax3x-wqan |
|
| 15 |
| vulnerability |
VCID-gvjg-dk1p-2uek |
|
| 16 |
| vulnerability |
VCID-jxz3-ug52-cuhn |
|
| 17 |
| vulnerability |
VCID-ktyd-dgdw-pber |
|
| 18 |
| vulnerability |
VCID-mgf4-zdnr-tba4 |
|
| 19 |
| vulnerability |
VCID-nuzy-ruzb-dke6 |
|
| 20 |
| vulnerability |
VCID-p6m6-7kgc-y3g8 |
|
| 21 |
| vulnerability |
VCID-pb6j-zdqw-g7cj |
|
| 22 |
| vulnerability |
VCID-pr2j-1118-hqaa |
|
| 23 |
| vulnerability |
VCID-q3td-7t4g-57ba |
|
| 24 |
| vulnerability |
VCID-qa31-1xtw-ybdg |
|
| 25 |
| vulnerability |
VCID-qkq6-n1ds-x7e5 |
|
| 26 |
| vulnerability |
VCID-tggj-xch8-jqcv |
|
| 27 |
| vulnerability |
VCID-u2yz-dthy-1fdr |
|
| 28 |
| vulnerability |
VCID-u6wn-nety-sbde |
|
| 29 |
| vulnerability |
VCID-u9gg-kzf2-9qap |
|
| 30 |
| vulnerability |
VCID-wnj6-hc4g-ykfs |
|
| 31 |
| vulnerability |
VCID-yjn6-17qx-9ubc |
|
| 32 |
| vulnerability |
VCID-yrjg-2aw9-effx |
|
| 33 |
| vulnerability |
VCID-zudy-xe9p-3fgm |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.10.5 |
|
|
| aliases |
CVE-2019-18197, GHSA-242x-7cm6-4w8j
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-uk9u-nn9a-4yes |
|
| 50 |
| url |
VCID-wnj6-hc4g-ykfs |
| vulnerability_id |
VCID-wnj6-hc4g-ykfs |
| summary |
Nokogiri updates packaged libxml2 to v2.13.8 to resolve CVE-2025-32414 and CVE-2025-32415
## Summary
Nokogiri v1.18.8 upgrades its dependency libxml2 to
[v2.13.8](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.8).
libxml2 v2.13.8 addresses:
- CVE-2025-32414
- described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/889
- CVE-2025-32415
- described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/890
## Impact
### CVE-2025-32414: No impact
In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds
memory access can occur in the Python API (Python bindings) because
of an incorrect return value. This occurs in xmlPythonFileRead and
xmlPythonFileReadRaw because of a difference between bytes and characters.
**There is no impact** from this CVE for Nokogiri users.
### CVE-2025-32415: Low impact
In libxml2 before 2.13.8 and 2.14.x before 2.14.2,
xmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer
under-read. To exploit this, a crafted XML document must be validated
against an XML schema with certain identity constraints, or a
crafted XML schema must be used.
In the upstream issue, further context is provided by the maintainer:
> The bug affects validation against untrusted XML Schemas (.xsd)
> and validation of untrusted documents against trusted Schemas if
> they make use of xsd:keyref in combination with recursively
> defined types that have additional identity constraints.
MITRE has published a severity score of 2.9 LOW
(CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) for this CVE. |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-5w6v-399v-w3cc
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-wnj6-hc4g-ykfs |
|
| 51 |
| url |
VCID-yjn6-17qx-9ubc |
| vulnerability_id |
VCID-yjn6-17qx-9ubc |
| summary |
multiple issues |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
| 33 |
|
| 34 |
|
| 35 |
|
| 36 |
|
| 37 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/nokogiri@1.11.4 |
| purl |
pkg:gem/nokogiri@1.11.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-5838-r3hp-wke4 |
|
| 1 |
| vulnerability |
VCID-5g9a-2484-rucp |
|
| 2 |
| vulnerability |
VCID-66gp-78uh-aqem |
|
| 3 |
| vulnerability |
VCID-67gm-m1up-gfaf |
|
| 4 |
| vulnerability |
VCID-74wj-a72v-s3gk |
|
| 5 |
| vulnerability |
VCID-aef6-wkbr-1kfb |
|
| 6 |
| vulnerability |
VCID-bgcq-x9bd-83ap |
|
| 7 |
| vulnerability |
VCID-chdv-jk6d-uuga |
|
| 8 |
| vulnerability |
VCID-d13x-y75t-2ugx |
|
| 9 |
| vulnerability |
VCID-e2q6-558r-4kam |
|
| 10 |
| vulnerability |
VCID-gvjg-dk1p-2uek |
|
| 11 |
| vulnerability |
VCID-ktyd-dgdw-pber |
|
| 12 |
| vulnerability |
VCID-mgf4-zdnr-tba4 |
|
| 13 |
| vulnerability |
VCID-p6m6-7kgc-y3g8 |
|
| 14 |
| vulnerability |
VCID-pb6j-zdqw-g7cj |
|
| 15 |
| vulnerability |
VCID-pr2j-1118-hqaa |
|
| 16 |
| vulnerability |
VCID-q3td-7t4g-57ba |
|
| 17 |
| vulnerability |
VCID-qa31-1xtw-ybdg |
|
| 18 |
| vulnerability |
VCID-qkq6-n1ds-x7e5 |
|
| 19 |
| vulnerability |
VCID-tggj-xch8-jqcv |
|
| 20 |
| vulnerability |
VCID-u2yz-dthy-1fdr |
|
| 21 |
| vulnerability |
VCID-u6wn-nety-sbde |
|
| 22 |
| vulnerability |
VCID-u9gg-kzf2-9qap |
|
| 23 |
| vulnerability |
VCID-wnj6-hc4g-ykfs |
|
| 24 |
| vulnerability |
VCID-yrjg-2aw9-effx |
|
| 25 |
| vulnerability |
VCID-zudy-xe9p-3fgm |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.11.4 |
|
|
| aliases |
CVE-2021-3518, GHSA-v4f8-2847-rwm7
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-yjn6-17qx-9ubc |
|
| 52 |
| url |
VCID-yrjg-2aw9-effx |
| vulnerability_id |
VCID-yrjg-2aw9-effx |
| summary |
Nokogiri updates packaged libxml2 to v2.10.4 to resolve multiple CVEs
### Summary
Nokogiri v1.14.3 upgrades the packaged version of its dependency libxml2 to [v2.10.4](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.10.4) from v2.10.3.
libxml2 v2.10.4 addresses the following known vulnerabilities:
- [CVE-2023-29469](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29469): Hashing of empty dict strings isn't deterministic
- [CVE-2023-28484](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28484): Fix null deref in xmlSchemaFixupComplexType
- Schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK
Please note that this advisory only applies to the CRuby implementation of Nokogiri `< 1.14.3`, and only if the _packaged_ libraries are being used. If you've overridden defaults at installation time to use _system_ libraries instead of packaged libraries, you should instead pay attention to your distro's `libxml2` release announcements.
### Mitigation
Upgrade to Nokogiri `>= 1.14.3`.
Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against external libraries libxml2 `>= 2.10.4` which will also address these same issues.
### Impact
No public information has yet been published about the security-related issues other than the upstream commits. Examination of those changesets indicate that the more serious issues relate to libxml2 dereferencing NULL pointers and potentially segfaulting while parsing untrusted inputs.
The commits can be examined at:
- [[CVE-2023-29469] Hashing of empty dict strings isn't deterministic (09a2dd45) · Commits · GNOME / libxml2 · GitLab](https://gitlab.gnome.org/GNOME/libxml2/-/commit/09a2dd453007f9c7205274623acdd73747c22d64)
- [[CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType (647e072e) · Commits · GNOME / libxml2 · GitLab](https://gitlab.gnome.org/GNOME/libxml2/-/commit/647e072ea0a2f12687fa05c172f4c4713fdb0c4f)
- [schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK (4c6922f7) · Commits · GNOME / libxml2 · GitLab](https://gitlab.gnome.org/GNOME/libxml2/-/commit/4c6922f763ad958c48ff66f82823ae21f2e92ee6) |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:gem/nokogiri@1.14.3 |
| purl |
pkg:gem/nokogiri@1.14.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-66gp-78uh-aqem |
|
| 1 |
| vulnerability |
VCID-67gm-m1up-gfaf |
|
| 2 |
| vulnerability |
VCID-chdv-jk6d-uuga |
|
| 3 |
| vulnerability |
VCID-d13x-y75t-2ugx |
|
| 4 |
| vulnerability |
VCID-e2q6-558r-4kam |
|
| 5 |
| vulnerability |
VCID-gvjg-dk1p-2uek |
|
| 6 |
| vulnerability |
VCID-mgf4-zdnr-tba4 |
|
| 7 |
| vulnerability |
VCID-p6m6-7kgc-y3g8 |
|
| 8 |
| vulnerability |
VCID-pb6j-zdqw-g7cj |
|
| 9 |
| vulnerability |
VCID-q3td-7t4g-57ba |
|
| 10 |
| vulnerability |
VCID-u6wn-nety-sbde |
|
| 11 |
| vulnerability |
VCID-wnj6-hc4g-ykfs |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.14.3 |
|
|
| aliases |
GHSA-pxvg-2qj5-37jq, GMS-2023-1115
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-yrjg-2aw9-effx |
|
| 53 |
| url |
VCID-zudy-xe9p-3fgm |
| vulnerability_id |
VCID-zudy-xe9p-3fgm |
| summary |
arbitrary code execution |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
| reference_url |
https://support.apple.com/kb/HT213255 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 2 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:30:25Z/ |
|
|
| url |
https://support.apple.com/kb/HT213255 |
|
| 32 |
| reference_url |
https://support.apple.com/kb/HT213256 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 2 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:30:25Z/ |
|
|
| url |
https://support.apple.com/kb/HT213256 |
|
| 33 |
| reference_url |
https://support.apple.com/kb/HT213257 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 2 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:30:25Z/ |
|
|
| url |
https://support.apple.com/kb/HT213257 |
|
| 34 |
|
| 35 |
|
| 36 |
|
| 37 |
|
| 38 |
|
| 39 |
|
| 40 |
|
| 41 |
|
| 42 |
|
| 43 |
|
| 44 |
|
| 45 |
|
| 46 |
|
| 47 |
|
| 48 |
|
| 49 |
|
| 50 |
|
| 51 |
|
| 52 |
|
| 53 |
|
| 54 |
|
| 55 |
|
| 56 |
|
| 57 |
|
| 58 |
|
| 59 |
|
| 60 |
|
| 61 |
|
| 62 |
|
| 63 |
|
| 64 |
|
| 65 |
|
| 66 |
|
| 67 |
|
| 68 |
|
| 69 |
|
| 70 |
|
| 71 |
|
| 72 |
|
| 73 |
|
| 74 |
|
| 75 |
|
| 76 |
|
| 77 |
|
| 78 |
|
| 79 |
|
| 80 |
|
| 81 |
|
| 82 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/nokogiri@1.13.4 |
| purl |
pkg:gem/nokogiri@1.13.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-5838-r3hp-wke4 |
|
| 1 |
| vulnerability |
VCID-5g9a-2484-rucp |
|
| 2 |
| vulnerability |
VCID-66gp-78uh-aqem |
|
| 3 |
| vulnerability |
VCID-67gm-m1up-gfaf |
|
| 4 |
| vulnerability |
VCID-chdv-jk6d-uuga |
|
| 5 |
| vulnerability |
VCID-d13x-y75t-2ugx |
|
| 6 |
| vulnerability |
VCID-e2q6-558r-4kam |
|
| 7 |
| vulnerability |
VCID-gvjg-dk1p-2uek |
|
| 8 |
| vulnerability |
VCID-ktyd-dgdw-pber |
|
| 9 |
| vulnerability |
VCID-mgf4-zdnr-tba4 |
|
| 10 |
| vulnerability |
VCID-p6m6-7kgc-y3g8 |
|
| 11 |
| vulnerability |
VCID-pb6j-zdqw-g7cj |
|
| 12 |
| vulnerability |
VCID-pr2j-1118-hqaa |
|
| 13 |
| vulnerability |
VCID-q3td-7t4g-57ba |
|
| 14 |
| vulnerability |
VCID-qa31-1xtw-ybdg |
|
| 15 |
| vulnerability |
VCID-u6wn-nety-sbde |
|
| 16 |
| vulnerability |
VCID-wnj6-hc4g-ykfs |
|
| 17 |
| vulnerability |
VCID-yrjg-2aw9-effx |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.13.4 |
|
|
| aliases |
CVE-2018-25032, GHSA-jc36-42cf-vqwj
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-zudy-xe9p-3fgm |
|
| 54 |
| url |
VCID-zx33-nyvt-vbe9 |
| vulnerability_id |
VCID-zx33-nyvt-vbe9 |
| summary |
Rexical Command Injection Vulnerability
A command injection vulnerability appears in code generated by the Rexical
gem versions v1.0.6 and earlier. It allows commands to be executed in a
subprocess by Ruby's `Kernel.open` method. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/nokogiri@1.10.4 |
| purl |
pkg:gem/nokogiri@1.10.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1sh8-bsk3-auct |
|
| 1 |
| vulnerability |
VCID-2r85-egs8-4be3 |
|
| 2 |
| vulnerability |
VCID-4sg9-pjmx-6kfy |
|
| 3 |
| vulnerability |
VCID-5838-r3hp-wke4 |
|
| 4 |
| vulnerability |
VCID-5g9a-2484-rucp |
|
| 5 |
| vulnerability |
VCID-5xuf-r7bj-33fa |
|
| 6 |
| vulnerability |
VCID-66gp-78uh-aqem |
|
| 7 |
| vulnerability |
VCID-67gm-m1up-gfaf |
|
| 8 |
| vulnerability |
VCID-6t8y-27ba-cfa2 |
|
| 9 |
| vulnerability |
VCID-74wj-a72v-s3gk |
|
| 10 |
| vulnerability |
VCID-aef6-wkbr-1kfb |
|
| 11 |
| vulnerability |
VCID-bgcq-x9bd-83ap |
|
| 12 |
| vulnerability |
VCID-chdv-jk6d-uuga |
|
| 13 |
| vulnerability |
VCID-d13x-y75t-2ugx |
|
| 14 |
| vulnerability |
VCID-e2q6-558r-4kam |
|
| 15 |
| vulnerability |
VCID-e8w6-ax3x-wqan |
|
| 16 |
| vulnerability |
VCID-gvjg-dk1p-2uek |
|
| 17 |
| vulnerability |
VCID-jxz3-ug52-cuhn |
|
| 18 |
| vulnerability |
VCID-ktyd-dgdw-pber |
|
| 19 |
| vulnerability |
VCID-mgf4-zdnr-tba4 |
|
| 20 |
| vulnerability |
VCID-nuzy-ruzb-dke6 |
|
| 21 |
| vulnerability |
VCID-p6m6-7kgc-y3g8 |
|
| 22 |
| vulnerability |
VCID-pb6j-zdqw-g7cj |
|
| 23 |
| vulnerability |
VCID-pr2j-1118-hqaa |
|
| 24 |
| vulnerability |
VCID-q3td-7t4g-57ba |
|
| 25 |
| vulnerability |
VCID-qa31-1xtw-ybdg |
|
| 26 |
| vulnerability |
VCID-qkq6-n1ds-x7e5 |
|
| 27 |
| vulnerability |
VCID-tggj-xch8-jqcv |
|
| 28 |
| vulnerability |
VCID-u2yz-dthy-1fdr |
|
| 29 |
| vulnerability |
VCID-u6wn-nety-sbde |
|
| 30 |
| vulnerability |
VCID-u9gg-kzf2-9qap |
|
| 31 |
| vulnerability |
VCID-uk9u-nn9a-4yes |
|
| 32 |
| vulnerability |
VCID-wnj6-hc4g-ykfs |
|
| 33 |
| vulnerability |
VCID-yjn6-17qx-9ubc |
|
| 34 |
| vulnerability |
VCID-yrjg-2aw9-effx |
|
| 35 |
| vulnerability |
VCID-zudy-xe9p-3fgm |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.10.4 |
|
|
| aliases |
CVE-2019-5477, GHSA-cr5j-953j-xw5p
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-zx33-nyvt-vbe9 |
|