Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/540656?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/540656?format=api", "purl": "pkg:gem/nokogiri@1.13.0", "type": "gem", "namespace": "", "name": "nokogiri", "version": "1.13.0", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "1.19.3", "latest_non_vulnerable_version": "1.19.3", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359435?format=api", "vulnerability_id": "VCID-14st-5sfb-jfhk", "summary": "Nokogiri updates packaged libxml2 to 2.13.6 to resolve CVE-2025-24928 and CVE-2024-56171\n## Summary\n\nNokogiri v1.18.3 upgrades its dependency libxml2 to\n[v2.13.6](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.6).\n\nlibxml2 v2.13.6 addresses:\n\n- CVE-2025-24928\n - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/847\n- CVE-2024-56171\n - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/828\n\n## Impact\n\n### CVE-2025-24928\n\nStack-buffer overflow is possible when reporting DTD validation\nerrors if the input contains a long (~3kb) QName prefix.\n\n### CVE-2024-56171\n\nUse-after-free is possible during validation against untrusted\nXML Schemas (.xsd) and, potentially, validation of untrusted documents\nagainst trusted Schemas if they make use of `xsd:keyref` in combination\nwith recursively defined types that have additional identity constraints.", "references": [ { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/GHSA-vvfq-8hwr-qm4m.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/GHSA-vvfq-8hwr-qm4m.yml" }, { "reference_url": "https://github.com/sparklemotion/nokogiri", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri" }, { "reference_url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vvfq-8hwr-qm4m", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vvfq-8hwr-qm4m" }, { "reference_url": "https://github.com/advisories/GHSA-vvfq-8hwr-qm4m", "reference_id": "GHSA-vvfq-8hwr-qm4m", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vvfq-8hwr-qm4m" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/377245?format=api", "purl": "pkg:gem/nokogiri@1.18.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-bfux-puuz-p3fb" }, { "vulnerability": "VCID-m2bp-rxcw-myg9" }, { "vulnerability": "VCID-tntw-mt23-k7gh" }, { "vulnerability": "VCID-umph-eaje-7khu" }, { "vulnerability": "VCID-vfgg-89r3-aueu" }, { "vulnerability": "VCID-w48v-grqb-u3gz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.18.3" } ], "aliases": [ "GHSA-vvfq-8hwr-qm4m" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-14st-5sfb-jfhk" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/163827?format=api", "vulnerability_id": "VCID-47qk-3n97-wfb7", "summary": "Nokogiri is an open source XML and HTML library for the Ruby programming language. Nokogiri `1.13.8` and `1.13.9` fail to check the return value from `xmlTextReaderExpand` in the method `Nokogiri::XML::Reader#attribute_hash`. This can lead to a null pointer exception when invalid markup is being parsed. For applications using `XML::Reader` to parse untrusted inputs, this may potentially be a vector for a denial of service attack. Users are advised to upgrade to Nokogiri `>= 1.13.10`. Users may be able to search their code for calls to either `XML::Reader#attributes` or `XML::Reader#attribute_hash` to determine if they are affected.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23476.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23476.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-23476", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00271", "scoring_system": "epss", "scoring_elements": "0.50944", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00271", "scoring_system": "epss", "scoring_elements": "0.50956", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00271", "scoring_system": "epss", "scoring_elements": "0.50941", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00271", "scoring_system": "epss", "scoring_elements": "0.50808", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-23476" }, { "reference_url": "https://github.com/sparklemotion/nokogiri", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2153279", "reference_id": "2153279", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2153279" }, { "reference_url": "https://github.com/sparklemotion/nokogiri/commit/85410e38410f670cbbc8c5b00d07b843caee88ce", "reference_id": "85410e38410f670cbbc8c5b00d07b843caee88ce", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:48:08Z/" } ], "url": "https://github.com/sparklemotion/nokogiri/commit/85410e38410f670cbbc8c5b00d07b843caee88ce" }, { "reference_url": "https://github.com/sparklemotion/nokogiri/commit/9fe0761c47c0d4270d1a5220cfd25de080350d50", "reference_id": "9fe0761c47c0d4270d1a5220cfd25de080350d50", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:48:08Z/" } ], "url": "https://github.com/sparklemotion/nokogiri/commit/9fe0761c47c0d4270d1a5220cfd25de080350d50" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23476", "reference_id": "CVE-2022-23476", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23476" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2022-23476.yml", "reference_id": "CVE-2022-23476.YML", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2022-23476.yml" }, { "reference_url": "https://github.com/advisories/GHSA-qv4q-mr5r-qprj", "reference_id": "GHSA-qv4q-mr5r-qprj", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qv4q-mr5r-qprj" }, { "reference_url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-qv4q-mr5r-qprj", "reference_id": "GHSA-qv4q-mr5r-qprj", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:48:08Z/" } ], "url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-qv4q-mr5r-qprj" }, { "reference_url": "https://security.gentoo.org/glsa/202408-13", "reference_id": "GLSA-202408-13", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/202408-13" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/28165?format=api", "purl": "pkg:gem/nokogiri@1.13.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14st-5sfb-jfhk" }, { "vulnerability": "VCID-8ftz-ajmp-jba8" }, { "vulnerability": "VCID-bfux-puuz-p3fb" }, { "vulnerability": "VCID-df5z-dpbb-r7cv" }, { "vulnerability": "VCID-gbwe-1wq8-83bf" }, { "vulnerability": "VCID-m2bp-rxcw-myg9" }, { "vulnerability": "VCID-tntw-mt23-k7gh" }, { "vulnerability": "VCID-umph-eaje-7khu" }, { "vulnerability": "VCID-vfgg-89r3-aueu" }, { "vulnerability": "VCID-w48v-grqb-u3gz" }, { "vulnerability": "VCID-w7rs-2k33-huft" }, { "vulnerability": "VCID-xsrn-bd5u-2ufz" }, { "vulnerability": "VCID-z2bq-warv-47c1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.13.10" } ], "aliases": [ "CVE-2022-23476", "GHSA-qv4q-mr5r-qprj" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-47qk-3n97-wfb7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/12378?format=api", "vulnerability_id": "VCID-49ww-fg7b-zugq", "summary": "", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-40303.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-40303.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-40303", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0023", "scoring_system": "epss", "scoring_elements": "0.4612", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.0023", "scoring_system": "epss", "scoring_elements": "0.46134", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.0023", "scoring_system": "epss", "scoring_elements": "0.46127", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.0023", "scoring_system": "epss", "scoring_elements": "0.45982", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-40303" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40303", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40303" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40304", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40304" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://nokogiri.org/CHANGELOG.html#1139-2022-10-18", "reference_id": "", "reference_type": "", "scores": [], "url": "https://nokogiri.org/CHANGELOG.html#1139-2022-10-18" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1022224", "reference_id": "1022224", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1022224" }, { "reference_url": "http://seclists.org/fulldisclosure/2022/Dec/21", "reference_id": "21", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-29T04:23:26Z/" } ], "url": "http://seclists.org/fulldisclosure/2022/Dec/21" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136266", "reference_id": "2136266", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136266" }, { "reference_url": "http://seclists.org/fulldisclosure/2022/Dec/24", "reference_id": "24", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-29T04:23:26Z/" } ], "url": "http://seclists.org/fulldisclosure/2022/Dec/24" }, { "reference_url": "http://seclists.org/fulldisclosure/2022/Dec/25", "reference_id": "25", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-29T04:23:26Z/" } ], "url": "http://seclists.org/fulldisclosure/2022/Dec/25" }, { "reference_url": "http://seclists.org/fulldisclosure/2022/Dec/26", "reference_id": "26", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-29T04:23:26Z/" } ], "url": "http://seclists.org/fulldisclosure/2022/Dec/26" }, { "reference_url": "http://seclists.org/fulldisclosure/2022/Dec/27", "reference_id": "27", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-29T04:23:26Z/" } ], "url": "http://seclists.org/fulldisclosure/2022/Dec/27" }, { "reference_url": "https://gitlab.gnome.org/GNOME/libxml2/-/commit/c846986356fc149915a74972bf198abc266bc2c0", "reference_id": "c846986356fc149915a74972bf198abc266bc2c0", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-29T04:23:26Z/" } ], "url": "https://gitlab.gnome.org/GNOME/libxml2/-/commit/c846986356fc149915a74972bf198abc266bc2c0" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40303", "reference_id": "CVE-2022-40303", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40303" }, { "reference_url": "https://security.gentoo.org/glsa/202210-39", "reference_id": "GLSA-202210-39", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/202210-39" }, { "reference_url": "https://support.apple.com/kb/HT213531", "reference_id": "HT213531", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-29T04:23:26Z/" } ], "url": "https://support.apple.com/kb/HT213531" }, { "reference_url": "https://support.apple.com/kb/HT213533", "reference_id": "HT213533", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-29T04:23:26Z/" } ], "url": "https://support.apple.com/kb/HT213533" }, { "reference_url": "https://support.apple.com/kb/HT213534", "reference_id": "HT213534", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-29T04:23:26Z/" } ], "url": "https://support.apple.com/kb/HT213534" }, { "reference_url": "https://support.apple.com/kb/HT213535", "reference_id": "HT213535", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-29T04:23:26Z/" } ], "url": "https://support.apple.com/kb/HT213535" }, { "reference_url": "https://support.apple.com/kb/HT213536", "reference_id": "HT213536", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-29T04:23:26Z/" } ], "url": "https://support.apple.com/kb/HT213536" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20221209-0003/", "reference_id": "ntap-20221209-0003", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-29T04:23:26Z/" } ], "url": "https://security.netapp.com/advisory/ntap-20221209-0003/" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:8841", "reference_id": "RHSA-2022:8841", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:8841" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:0173", "reference_id": "RHSA-2023:0173", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:0173" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:0338", "reference_id": "RHSA-2023:0338", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:0338" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:0413", "reference_id": "RHSA-2024:0413", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:0413" }, { "reference_url": "https://usn.ubuntu.com/5760-1/", "reference_id": "USN-5760-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/5760-1/" }, { "reference_url": "https://usn.ubuntu.com/5760-2/", "reference_id": "USN-5760-2", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/5760-2/" }, { "reference_url": "https://usn.ubuntu.com/7659-1/", "reference_id": "USN-7659-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7659-1/" }, { "reference_url": "https://gitlab.gnome.org/GNOME/libxml2/-/tags/v2.10.3", "reference_id": "v2.10.3", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-29T04:23:26Z/" } ], "url": "https://gitlab.gnome.org/GNOME/libxml2/-/tags/v2.10.3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/27390?format=api", "purl": "pkg:gem/nokogiri@1.13.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14st-5sfb-jfhk" }, { "vulnerability": "VCID-47qk-3n97-wfb7" }, { "vulnerability": "VCID-8ftz-ajmp-jba8" }, { "vulnerability": "VCID-bfux-puuz-p3fb" }, { "vulnerability": "VCID-df5z-dpbb-r7cv" }, { "vulnerability": "VCID-gbwe-1wq8-83bf" }, { "vulnerability": "VCID-m2bp-rxcw-myg9" }, { "vulnerability": "VCID-tntw-mt23-k7gh" }, { "vulnerability": "VCID-umph-eaje-7khu" }, { "vulnerability": "VCID-vfgg-89r3-aueu" }, { "vulnerability": "VCID-w48v-grqb-u3gz" }, { "vulnerability": "VCID-w7rs-2k33-huft" }, { "vulnerability": "VCID-xsrn-bd5u-2ufz" }, { "vulnerability": "VCID-z2bq-warv-47c1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.13.9" } ], "aliases": [ "CVE-2022-40303" ], "risk_score": 3.4, "exploitability": "0.5", "weighted_severity": "6.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-49ww-fg7b-zugq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/211691?format=api", "vulnerability_id": "VCID-8ftz-ajmp-jba8", "summary": "Nokogiri update packaged libxml2 to v2.12.5 to resolve CVE-2024-25062", "references": [ { "reference_url": "https://github.com/sparklemotion/nokogiri", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri" }, { "reference_url": "https://github.com/sparklemotion/nokogiri/discussions/3146", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri/discussions/3146" }, { "reference_url": "https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970" }, { "reference_url": "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.5", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.5" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25062", "reference_id": "CVE-2024-25062", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25062" }, { "reference_url": "https://github.com/advisories/GHSA-xc9x-jj77-9p9j", "reference_id": "GHSA-xc9x-jj77-9p9j", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-xc9x-jj77-9p9j" }, { "reference_url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xc9x-jj77-9p9j", "reference_id": "GHSA-xc9x-jj77-9p9j", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xc9x-jj77-9p9j" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/GHSA-xc9x-jj77-9p9j.yml", "reference_id": "GHSA-xc9x-jj77-9p9j.yml", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/GHSA-xc9x-jj77-9p9j.yml" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/28756?format=api", "purl": "pkg:gem/nokogiri@1.15.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14st-5sfb-jfhk" }, { "vulnerability": "VCID-bfux-puuz-p3fb" }, { "vulnerability": "VCID-m2bp-rxcw-myg9" }, { "vulnerability": "VCID-tntw-mt23-k7gh" }, { "vulnerability": "VCID-umph-eaje-7khu" }, { "vulnerability": "VCID-vfgg-89r3-aueu" }, { "vulnerability": "VCID-w48v-grqb-u3gz" }, { "vulnerability": "VCID-w7rs-2k33-huft" }, { "vulnerability": "VCID-xsrn-bd5u-2ufz" }, { "vulnerability": "VCID-z2bq-warv-47c1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.15.6" }, { "url": "http://public2.vulnerablecode.io/api/packages/691038?format=api", "purl": "pkg:gem/nokogiri@1.16.0.rc1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14st-5sfb-jfhk" }, { "vulnerability": "VCID-8ftz-ajmp-jba8" }, { "vulnerability": "VCID-bfux-puuz-p3fb" }, { "vulnerability": "VCID-m2bp-rxcw-myg9" }, { "vulnerability": "VCID-tntw-mt23-k7gh" }, { "vulnerability": "VCID-umph-eaje-7khu" }, { "vulnerability": "VCID-vfgg-89r3-aueu" }, { "vulnerability": "VCID-w48v-grqb-u3gz" }, { "vulnerability": "VCID-w7rs-2k33-huft" }, { "vulnerability": "VCID-xsrn-bd5u-2ufz" }, { "vulnerability": "VCID-z2bq-warv-47c1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.16.0.rc1" }, { "url": "http://public2.vulnerablecode.io/api/packages/28755?format=api", "purl": "pkg:gem/nokogiri@1.16.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14st-5sfb-jfhk" }, { "vulnerability": "VCID-bfux-puuz-p3fb" }, { "vulnerability": "VCID-m2bp-rxcw-myg9" }, { "vulnerability": "VCID-tntw-mt23-k7gh" }, { "vulnerability": "VCID-umph-eaje-7khu" }, { "vulnerability": "VCID-vfgg-89r3-aueu" }, { "vulnerability": "VCID-w48v-grqb-u3gz" }, { "vulnerability": "VCID-w7rs-2k33-huft" }, { "vulnerability": "VCID-xsrn-bd5u-2ufz" }, { "vulnerability": "VCID-z2bq-warv-47c1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.16.2" } ], "aliases": [ "GHSA-xc9x-jj77-9p9j", "GMS-2024-127" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8ftz-ajmp-jba8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/11508?format=api", "vulnerability_id": "VCID-ahe3-n9yg-sqgq", "summary": "", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23308.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23308.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-23308", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00074", "scoring_system": "epss", "scoring_elements": "0.22511", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00074", "scoring_system": "epss", "scoring_elements": "0.22706", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00074", "scoring_system": "epss", "scoring_elements": "0.22719", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00074", "scoring_system": "epss", "scoring_elements": "0.22699", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-23308" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23308", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23308" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/GNOME/libxml2/commit/652dd12a858989b14eed4e84e453059cd3ba340e", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/GNOME/libxml2/commit/652dd12a858989b14eed4e84e453059cd3ba340e" }, { "reference_url": "https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.2", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.2" }, { "reference_url": "https://gitlab.gnome.org/GNOME/libxml2/-/blob/v2.9.13/NEWS", "reference_id": "", "reference_type": "", "scores": [], "url": "https://gitlab.gnome.org/GNOME/libxml2/-/blob/v2.9.13/NEWS" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1006489", "reference_id": "1006489", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1006489" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2056913", "reference_id": "2056913", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2056913" }, { "reference_url": "https://security.archlinux.org/AVG-2726", "reference_id": "AVG-2726", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2726" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23308", "reference_id": "CVE-2022-23308", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23308" }, { "reference_url": "https://security.gentoo.org/glsa/202210-03", "reference_id": "GLSA-202210-03", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/202210-03" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:0899", "reference_id": "RHSA-2022:0899", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:0899" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:1389", "reference_id": "RHSA-2022:1389", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:1389" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:1390", "reference_id": "RHSA-2022:1390", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:1390" }, { "reference_url": "https://usn.ubuntu.com/5324-1/", "reference_id": "USN-5324-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/5324-1/" }, { "reference_url": "https://usn.ubuntu.com/5422-1/", "reference_id": "USN-5422-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/5422-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/19515?format=api", "purl": "pkg:gem/nokogiri@1.13.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14st-5sfb-jfhk" }, { "vulnerability": "VCID-47qk-3n97-wfb7" }, { "vulnerability": "VCID-49ww-fg7b-zugq" }, { "vulnerability": "VCID-8ftz-ajmp-jba8" }, { "vulnerability": "VCID-bfux-puuz-p3fb" }, { "vulnerability": "VCID-dbue-58uu-ybaz" }, { "vulnerability": "VCID-df5z-dpbb-r7cv" }, { "vulnerability": "VCID-g8h5-nbxj-y7fe" }, { "vulnerability": "VCID-gbwe-1wq8-83bf" }, { "vulnerability": "VCID-m2bp-rxcw-myg9" }, { "vulnerability": "VCID-m3bc-ah2t-p3b4" }, { "vulnerability": "VCID-nscm-fqz2-fbge" }, { "vulnerability": "VCID-pqm3-2t49-rqat" }, { "vulnerability": "VCID-s2mc-whzr-sbb8" }, { "vulnerability": "VCID-tntw-mt23-k7gh" }, { "vulnerability": "VCID-umph-eaje-7khu" }, { "vulnerability": "VCID-v47q-qyuj-gba7" }, { "vulnerability": "VCID-vfgg-89r3-aueu" }, { "vulnerability": "VCID-w48v-grqb-u3gz" }, { "vulnerability": "VCID-w7rs-2k33-huft" }, { "vulnerability": "VCID-xsrn-bd5u-2ufz" }, { "vulnerability": "VCID-z2bq-warv-47c1" }, { "vulnerability": "VCID-zntu-4vu6-rkbt" }, { "vulnerability": "VCID-zyww-4npa-gkeq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.13.2" } ], "aliases": [ "CVE-2022-23308" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ahe3-n9yg-sqgq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359433?format=api", "vulnerability_id": "VCID-bfux-puuz-p3fb", "summary": "Nokogiri updates packaged libxslt to v1.1.43 to resolve multiple CVEs\n## Summary\n\nNokogiri v1.18.4 upgrades its dependency libxslt to\n[v1.1.43](https://gitlab.gnome.org/GNOME/libxslt/-/releases/v1.1.43).\n\nlibxslt v1.1.43 resolves:\n\n- CVE-2025-24855: Fix use-after-free of XPath context node\n- CVE-2024-55549: Fix UAF related to excluded namespaces\n\n## Impact\n\n### CVE-2025-24855\n\n- \"Use-after-free due to xsltEvalXPathStringNs leaking xpathCtxt->node\"\n- MITRE has rated this 7.8 High CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H\n- Upstream report: https://gitlab.gnome.org/GNOME/libxslt/-/issues/128\n- NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2025-24855\n\n### CVE-2024-55549\n\n- \"Use-after-free related to excluded result prefixes\"\n- MITRE has rated this 7.8 High CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H\n- Upstream report: https://gitlab.gnome.org/GNOME/libxslt/-/issues/127\n- NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2024-55549", "references": [ { "reference_url": "https://github.com/sparklemotion/nokogiri", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri" }, { "reference_url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-mrxw-mxhj-p664", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-mrxw-mxhj-p664" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55549", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55549" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24855", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24855" }, { "reference_url": "https://github.com/advisories/GHSA-mrxw-mxhj-p664", "reference_id": "GHSA-mrxw-mxhj-p664", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mrxw-mxhj-p664" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/377971?format=api", "purl": "pkg:gem/nokogiri@1.18.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-m2bp-rxcw-myg9" }, { "vulnerability": "VCID-tntw-mt23-k7gh" }, { "vulnerability": "VCID-umph-eaje-7khu" }, { "vulnerability": "VCID-vfgg-89r3-aueu" }, { "vulnerability": "VCID-w48v-grqb-u3gz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.18.4" } ], "aliases": [ "GHSA-mrxw-mxhj-p664" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-bfux-puuz-p3fb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/12379?format=api", "vulnerability_id": "VCID-dbue-58uu-ybaz", "summary": "", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-40304.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-40304.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-40304", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00219", "scoring_system": "epss", "scoring_elements": "0.44755", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00219", "scoring_system": "epss", "scoring_elements": "0.446", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00219", "scoring_system": "epss", "scoring_elements": "0.44752", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00219", "scoring_system": "epss", "scoring_elements": "0.44768", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-40304" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40303", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40303" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40304", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40304" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://nokogiri.org/CHANGELOG.html#1139-2022-10-18", "reference_id": "", "reference_type": "", "scores": [], "url": "https://nokogiri.org/CHANGELOG.html#1139-2022-10-18" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1022225", "reference_id": "1022225", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1022225" }, { "reference_url": "https://gitlab.gnome.org/GNOME/libxml2/-/commit/1b41ec4e9433b05bb0376be4725804c54ef1d80b", "reference_id": "1b41ec4e9433b05bb0376be4725804c54ef1d80b", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-28T19:47:33Z/" } ], "url": "https://gitlab.gnome.org/GNOME/libxml2/-/commit/1b41ec4e9433b05bb0376be4725804c54ef1d80b" }, { "reference_url": "http://seclists.org/fulldisclosure/2022/Dec/21", "reference_id": "21", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-28T19:47:33Z/" } ], "url": "http://seclists.org/fulldisclosure/2022/Dec/21" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136288", "reference_id": "2136288", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136288" }, { "reference_url": "http://seclists.org/fulldisclosure/2022/Dec/24", "reference_id": "24", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-28T19:47:33Z/" } ], "url": "http://seclists.org/fulldisclosure/2022/Dec/24" }, { "reference_url": "http://seclists.org/fulldisclosure/2022/Dec/25", "reference_id": "25", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-28T19:47:33Z/" } ], "url": "http://seclists.org/fulldisclosure/2022/Dec/25" }, { "reference_url": "http://seclists.org/fulldisclosure/2022/Dec/26", "reference_id": "26", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-28T19:47:33Z/" } ], "url": "http://seclists.org/fulldisclosure/2022/Dec/26" }, { "reference_url": "http://seclists.org/fulldisclosure/2022/Dec/27", "reference_id": "27", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-28T19:47:33Z/" } ], "url": "http://seclists.org/fulldisclosure/2022/Dec/27" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40304", "reference_id": "CVE-2022-40304", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40304" }, { "reference_url": "https://security.gentoo.org/glsa/202210-39", "reference_id": "GLSA-202210-39", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/202210-39" }, { "reference_url": "https://support.apple.com/kb/HT213531", "reference_id": "HT213531", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-28T19:47:33Z/" } ], "url": "https://support.apple.com/kb/HT213531" }, { "reference_url": "https://support.apple.com/kb/HT213533", "reference_id": "HT213533", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-28T19:47:33Z/" } ], "url": "https://support.apple.com/kb/HT213533" }, { "reference_url": "https://support.apple.com/kb/HT213534", "reference_id": "HT213534", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-28T19:47:33Z/" } ], "url": "https://support.apple.com/kb/HT213534" }, { "reference_url": "https://support.apple.com/kb/HT213535", "reference_id": "HT213535", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-28T19:47:33Z/" } ], "url": "https://support.apple.com/kb/HT213535" }, { "reference_url": "https://support.apple.com/kb/HT213536", "reference_id": "HT213536", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-28T19:47:33Z/" } ], "url": "https://support.apple.com/kb/HT213536" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20221209-0003/", "reference_id": "ntap-20221209-0003", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-28T19:47:33Z/" } ], "url": "https://security.netapp.com/advisory/ntap-20221209-0003/" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:8841", "reference_id": "RHSA-2022:8841", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:8841" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:0173", "reference_id": "RHSA-2023:0173", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:0173" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:0338", "reference_id": "RHSA-2023:0338", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:0338" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:0413", "reference_id": "RHSA-2024:0413", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:0413" }, { "reference_url": "https://gitlab.gnome.org/GNOME/libxml2/-/tags", "reference_id": "tags", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-28T19:47:33Z/" } ], "url": "https://gitlab.gnome.org/GNOME/libxml2/-/tags" }, { "reference_url": "https://usn.ubuntu.com/5760-1/", "reference_id": "USN-5760-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/5760-1/" }, { "reference_url": "https://usn.ubuntu.com/5760-2/", "reference_id": "USN-5760-2", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/5760-2/" }, { "reference_url": "https://gitlab.gnome.org/GNOME/libxml2/-/tags/v2.10.3", "reference_id": "v2.10.3", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-28T19:47:33Z/" } ], "url": "https://gitlab.gnome.org/GNOME/libxml2/-/tags/v2.10.3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/27390?format=api", "purl": "pkg:gem/nokogiri@1.13.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14st-5sfb-jfhk" }, { "vulnerability": "VCID-47qk-3n97-wfb7" }, { "vulnerability": "VCID-8ftz-ajmp-jba8" }, { "vulnerability": "VCID-bfux-puuz-p3fb" }, { "vulnerability": "VCID-df5z-dpbb-r7cv" }, { "vulnerability": "VCID-gbwe-1wq8-83bf" }, { "vulnerability": "VCID-m2bp-rxcw-myg9" }, { "vulnerability": "VCID-tntw-mt23-k7gh" }, { "vulnerability": "VCID-umph-eaje-7khu" }, { "vulnerability": "VCID-vfgg-89r3-aueu" }, { "vulnerability": "VCID-w48v-grqb-u3gz" }, { "vulnerability": "VCID-w7rs-2k33-huft" }, { "vulnerability": "VCID-xsrn-bd5u-2ufz" }, { "vulnerability": "VCID-z2bq-warv-47c1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.13.9" } ], "aliases": [ "CVE-2022-40304" ], "risk_score": 3.5, "exploitability": "0.5", "weighted_severity": "7.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dbue-58uu-ybaz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359439?format=api", "vulnerability_id": "VCID-df5z-dpbb-r7cv", "summary": "Update packaged libxml2 to v2.10.4 to resolve multiple CVEs\n### Summary\n\nNokogiri v1.14.3 upgrades the packaged version of its dependency libxml2 to\n[v2.10.4](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.10.4) from v2.10.3.\n\nlibxml2 v2.10.4 addresses the following known vulnerabilities:\n\n- [CVE-2023-29469](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29469): Hashing of\n empty dict strings isn't deterministic\n- [CVE-2023-28484](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28484): Fix null deref\n in xmlSchemaFixupComplexType\n- Schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK\n\nPlease note that this advisory only applies to the CRuby implementation of Nokogiri `< 1.14.3`,\nand only if the _packaged_ libraries are being used. If you've overridden defaults at installation\ntime to use _system_ libraries instead of packaged libraries, you should instead pay attention to\nyour distro's `libxml2` release announcements.\n\n\n### Mitigation\n\nUpgrade to Nokogiri `>= 1.14.3`.\n\nUsers who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile\nand link Nokogiri against external libraries libxml2 `>= 2.10.4` which will also address these\nsame issues.\n\n\n### Impact\n\nNo public information has yet been published about the security-related issues other than the\nupstream commits. Examination of those changesets indicate that the more serious issues relate to\nlibxml2 dereferencing NULL pointers and potentially segfaulting while parsing untrusted inputs.\n\nThe commits can be examined at:\n\n- [\\[CVE-2023-29469\\] Hashing of empty dict strings isn't deterministic (09a2dd45)](https://gitlab.gnome.org/GNOME/libxml2/-/commit/09a2dd453007f9c7205274623acdd73747c22d64)\n- [\\[CVE-2023-28484\\] Fix null deref in xmlSchemaFixupComplexType (647e072e)](https://gitlab.gnome.org/GNOME/libxml2/-/commit/647e072ea0a2f12687fa05c172f4c4713fdb0c4f)\n- [schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK (4c6922f7)](https://gitlab.gnome.org/GNOME/libxml2/-/commit/4c6922f763ad958c48ff66f82823ae21f2e92ee6)", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28484", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28484" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29469", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29469" }, { "reference_url": "https://github.com/sparklemotion/nokogiri", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri" }, { "reference_url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-pxvg-2qj5-37jq", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-pxvg-2qj5-37jq" }, { "reference_url": "https://gitlab.gnome.org/GNOME/libxml2/-/commit/09a2dd453007f9c7205274623acdd73747c22d64", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://gitlab.gnome.org/GNOME/libxml2/-/commit/09a2dd453007f9c7205274623acdd73747c22d64" }, { "reference_url": "https://gitlab.gnome.org/GNOME/libxml2/-/commit/4c6922f763ad958c48ff66f82823ae21f2e92ee6", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://gitlab.gnome.org/GNOME/libxml2/-/commit/4c6922f763ad958c48ff66f82823ae21f2e92ee6" }, { "reference_url": "https://gitlab.gnome.org/GNOME/libxml2/-/commit/647e072ea0a2f12687fa05c172f4c4713fdb0c4f", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://gitlab.gnome.org/GNOME/libxml2/-/commit/647e072ea0a2f12687fa05c172f4c4713fdb0c4f" }, { "reference_url": "https://github.com/advisories/GHSA-pxvg-2qj5-37jq", "reference_id": "GHSA-pxvg-2qj5-37jq", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-pxvg-2qj5-37jq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/379347?format=api", "purl": "pkg:gem/nokogiri@1.14.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14st-5sfb-jfhk" }, { "vulnerability": "VCID-8ftz-ajmp-jba8" }, { "vulnerability": "VCID-bfux-puuz-p3fb" }, { "vulnerability": "VCID-gbwe-1wq8-83bf" }, { "vulnerability": "VCID-m2bp-rxcw-myg9" }, { "vulnerability": "VCID-tntw-mt23-k7gh" }, { "vulnerability": "VCID-umph-eaje-7khu" }, { "vulnerability": "VCID-vfgg-89r3-aueu" }, { "vulnerability": "VCID-w48v-grqb-u3gz" }, { "vulnerability": "VCID-w7rs-2k33-huft" }, { "vulnerability": "VCID-xsrn-bd5u-2ufz" }, { "vulnerability": "VCID-z2bq-warv-47c1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.14.3" } ], "aliases": [ "GHSA-pxvg-2qj5-37jq", "GMS-2023-1115" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-df5z-dpbb-r7cv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/11849?format=api", "vulnerability_id": "VCID-g8h5-nbxj-y7fe", "summary": "", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-29181.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-29181.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-29181", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.04183", "scoring_system": "epss", "scoring_elements": "0.88999", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.04183", "scoring_system": "epss", "scoring_elements": "0.89", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.04183", "scoring_system": "epss", "scoring_elements": "0.88956", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.04183", "scoring_system": "epss", "scoring_elements": "0.88993", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-29181" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29181", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29181" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2022-29181.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2022-29181.yml" }, { "reference_url": "https://github.com/sparklemotion/nokogiri", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29181", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29181" }, { "reference_url": "https://support.apple.com/kb/HT213532", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://support.apple.com/kb/HT213532" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2088684", "reference_id": "2088684", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2088684" }, { "reference_url": "https://github.com/sparklemotion/nokogiri/commit/83cc451c3f29df397caa890afc3b714eae6ab8f7", "reference_id": "83cc451c3f29df397caa890afc3b714eae6ab8f7", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:41:19Z/" } ], "url": "https://github.com/sparklemotion/nokogiri/commit/83cc451c3f29df397caa890afc3b714eae6ab8f7" }, { "reference_url": "https://github.com/sparklemotion/nokogiri/commit/db05ba9a1bd4b90aa6c76742cf6102a7c7297267", "reference_id": "db05ba9a1bd4b90aa6c76742cf6102a7c7297267", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:41:19Z/" } ], "url": "https://github.com/sparklemotion/nokogiri/commit/db05ba9a1bd4b90aa6c76742cf6102a7c7297267" }, { "reference_url": "https://github.com/advisories/GHSA-xh29-r2w5-wx8m", "reference_id": "GHSA-xh29-r2w5-wx8m", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-xh29-r2w5-wx8m" }, { "reference_url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xh29-r2w5-wx8m", "reference_id": "GHSA-xh29-r2w5-wx8m", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:41:19Z/" } ], "url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xh29-r2w5-wx8m" }, { "reference_url": "https://securitylab.github.com/advisories/GHSL-2022-031_GHSL-2022-032_Nokogiri", "reference_id": "GHSL-2022-031_GHSL-2022-032_Nokogiri", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:41:19Z/" } ], "url": "https://securitylab.github.com/advisories/GHSL-2022-031_GHSL-2022-032_Nokogiri" }, { "reference_url": "https://security.gentoo.org/glsa/202208-29", "reference_id": "GLSA-202208-29", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.gentoo.org/glsa/202208-29" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:8506", "reference_id": "RHSA-2022:8506", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:8506" }, { "reference_url": "https://usn.ubuntu.com/7659-1/", "reference_id": "USN-7659-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7659-1/" }, { "reference_url": "https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.6", "reference_id": "v1.13.6", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:41:19Z/" } ], "url": "https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/386593?format=api", "purl": "pkg:gem/nokogiri@1.13.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14st-5sfb-jfhk" }, { "vulnerability": "VCID-47qk-3n97-wfb7" }, { "vulnerability": "VCID-49ww-fg7b-zugq" }, { "vulnerability": "VCID-8ftz-ajmp-jba8" }, { "vulnerability": "VCID-bfux-puuz-p3fb" }, { "vulnerability": "VCID-dbue-58uu-ybaz" }, { "vulnerability": "VCID-df5z-dpbb-r7cv" }, { "vulnerability": "VCID-gbwe-1wq8-83bf" }, { "vulnerability": "VCID-m2bp-rxcw-myg9" }, { "vulnerability": "VCID-tntw-mt23-k7gh" }, { "vulnerability": "VCID-umph-eaje-7khu" }, { "vulnerability": "VCID-vfgg-89r3-aueu" }, { "vulnerability": "VCID-w48v-grqb-u3gz" }, { "vulnerability": "VCID-w7rs-2k33-huft" }, { "vulnerability": "VCID-xsrn-bd5u-2ufz" }, { "vulnerability": "VCID-z2bq-warv-47c1" }, { "vulnerability": "VCID-zyww-4npa-gkeq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.13.6" } ], "aliases": [ "CVE-2022-29181", "GHSA-xh29-r2w5-wx8m" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-g8h5-nbxj-y7fe" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/211732?format=api", "vulnerability_id": "VCID-gbwe-1wq8-83bf", "summary": "Duplicate Advisory: Use-after-free in libxml2 via Nokogiri::XML::Reader", "references": [ { "reference_url": "https://github.com/sparklemotion/nokogiri", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri" }, { "reference_url": "https://github.com/advisories/GHSA-vcc3-rw6f-jv97", "reference_id": "GHSA-vcc3-rw6f-jv97", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vcc3-rw6f-jv97" }, { "reference_url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xc9x-jj77-9p9j", "reference_id": "GHSA-xc9x-jj77-9p9j", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xc9x-jj77-9p9j" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/GHSA-xc9x-jj77-9p9j.yml", "reference_id": "GHSA-xc9x-jj77-9p9j.yml", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/GHSA-xc9x-jj77-9p9j.yml" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/28756?format=api", "purl": "pkg:gem/nokogiri@1.15.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14st-5sfb-jfhk" }, { "vulnerability": "VCID-bfux-puuz-p3fb" }, { "vulnerability": "VCID-m2bp-rxcw-myg9" }, { "vulnerability": "VCID-tntw-mt23-k7gh" }, { "vulnerability": "VCID-umph-eaje-7khu" }, { "vulnerability": "VCID-vfgg-89r3-aueu" }, { "vulnerability": "VCID-w48v-grqb-u3gz" }, { "vulnerability": "VCID-w7rs-2k33-huft" }, { "vulnerability": "VCID-xsrn-bd5u-2ufz" }, { "vulnerability": "VCID-z2bq-warv-47c1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.15.6" }, { "url": "http://public2.vulnerablecode.io/api/packages/28755?format=api", "purl": "pkg:gem/nokogiri@1.16.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14st-5sfb-jfhk" }, { "vulnerability": "VCID-bfux-puuz-p3fb" }, { "vulnerability": "VCID-m2bp-rxcw-myg9" }, { "vulnerability": "VCID-tntw-mt23-k7gh" }, { "vulnerability": "VCID-umph-eaje-7khu" }, { "vulnerability": "VCID-vfgg-89r3-aueu" }, { "vulnerability": "VCID-w48v-grqb-u3gz" }, { "vulnerability": "VCID-w7rs-2k33-huft" }, { "vulnerability": "VCID-xsrn-bd5u-2ufz" }, { "vulnerability": "VCID-z2bq-warv-47c1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.16.2" } ], "aliases": [ "GHSA-vcc3-rw6f-jv97" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gbwe-1wq8-83bf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/212597?format=api", "vulnerability_id": "VCID-m2bp-rxcw-myg9", "summary": "Nokogiri does not check the return value from xmlC14NExecute", "references": [ { "reference_url": "https://github.com/sparklemotion/nokogiri", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri" }, { "reference_url": "https://github.com/advisories/GHSA-wx95-c6cv-8532", "reference_id": "GHSA-wx95-c6cv-8532", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-wx95-c6cv-8532" }, { "reference_url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-wx95-c6cv-8532", "reference_id": "GHSA-wx95-c6cv-8532", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-wx95-c6cv-8532" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39371?format=api", "purl": "pkg:gem/nokogiri@1.19.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-m2bp-rxcw-myg9" }, { "vulnerability": "VCID-tntw-mt23-k7gh" }, { "vulnerability": "VCID-w48v-grqb-u3gz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.19.1" } ], "aliases": [ "GHSA-wx95-c6cv-8532" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-m2bp-rxcw-myg9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/208746?format=api", "vulnerability_id": "VCID-m3bc-ah2t-p3b4", "summary": "Out-of-bounds Write in zlib affects Nokogiri", "references": [ { "reference_url": "https://github.com/sparklemotion/nokogiri", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri" }, { "reference_url": "https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.4", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.4" }, { "reference_url": "https://groups.google.com/g/ruby-security-ann/c/vX7qSjsvWis/m/TJWN4oOKBwAJ?utm_medium=email&utm_source=footer", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://groups.google.com/g/ruby-security-ann/c/vX7qSjsvWis/m/TJWN4oOKBwAJ?utm_medium=email&utm_source=footer" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2018-25032", "reference_id": "CVE-2018-25032", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-25032" }, { "reference_url": "https://github.com/advisories/GHSA-jc36-42cf-vqwj", "reference_id": "GHSA-jc36-42cf-vqwj", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jc36-42cf-vqwj" }, { "reference_url": "https://github.com/advisories/GHSA-v6gp-9mmm-c6p5", "reference_id": "GHSA-v6gp-9mmm-c6p5", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-v6gp-9mmm-c6p5" }, { "reference_url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v6gp-9mmm-c6p5", "reference_id": "GHSA-v6gp-9mmm-c6p5", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v6gp-9mmm-c6p5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/19854?format=api", "purl": "pkg:gem/nokogiri@1.13.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14st-5sfb-jfhk" }, { "vulnerability": "VCID-47qk-3n97-wfb7" }, { "vulnerability": "VCID-49ww-fg7b-zugq" }, { "vulnerability": "VCID-8ftz-ajmp-jba8" }, { "vulnerability": "VCID-bfux-puuz-p3fb" }, { "vulnerability": "VCID-dbue-58uu-ybaz" }, { "vulnerability": "VCID-df5z-dpbb-r7cv" }, { "vulnerability": "VCID-g8h5-nbxj-y7fe" }, { "vulnerability": "VCID-gbwe-1wq8-83bf" }, { "vulnerability": "VCID-m2bp-rxcw-myg9" }, { "vulnerability": "VCID-tntw-mt23-k7gh" }, { "vulnerability": "VCID-umph-eaje-7khu" }, { "vulnerability": "VCID-vfgg-89r3-aueu" }, { "vulnerability": "VCID-w48v-grqb-u3gz" }, { "vulnerability": "VCID-w7rs-2k33-huft" }, { "vulnerability": "VCID-xsrn-bd5u-2ufz" }, { "vulnerability": "VCID-z2bq-warv-47c1" }, { "vulnerability": "VCID-zntu-4vu6-rkbt" }, { "vulnerability": "VCID-zyww-4npa-gkeq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.13.4" } ], "aliases": [ "GHSA-v6gp-9mmm-c6p5", "GMS-2022-787" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-m3bc-ah2t-p3b4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/11616?format=api", "vulnerability_id": "VCID-nscm-fqz2-fbge", "summary": "", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-24836.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-24836.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-24836", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01827", "scoring_system": "epss", "scoring_elements": "0.83371", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.01827", "scoring_system": "epss", "scoring_elements": "0.83375", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.01827", "scoring_system": "epss", "scoring_elements": "0.83366", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.01827", "scoring_system": "epss", "scoring_elements": "0.83305", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-24836" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24836", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24836" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/sparklemotion/nokogiri", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri" }, { "reference_url": "https://github.com/sparklemotion/nokogiri/commit/e444525ef1634b675cd1cf52d39f4320ef0aecfd", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri/commit/e444525ef1634b675cd1cf52d39f4320ef0aecfd" }, { "reference_url": "https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.4", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.4" }, { "reference_url": "https://groups.google.com/g/ruby-security-ann/c/vX7qSjsvWis/m/TJWN4oOKBwAJ?utm_medium=email&utm_source=footer", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://groups.google.com/g/ruby-security-ann/c/vX7qSjsvWis/m/TJWN4oOKBwAJ?utm_medium=email&utm_source=footer" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00013.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00013.html" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DHCOWMA5PQTIQIMDENA7R2Y5BDYAIYM", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DHCOWMA5PQTIQIMDENA7R2Y5BDYAIYM" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DHCOWMA5PQTIQIMDENA7R2Y5BDYAIYM/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DHCOWMA5PQTIQIMDENA7R2Y5BDYAIYM/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OUPLBUZVM4WPFSXBEP2JS3R6LMKRTLFC", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OUPLBUZVM4WPFSXBEP2JS3R6LMKRTLFC" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OUPLBUZVM4WPFSXBEP2JS3R6LMKRTLFC/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OUPLBUZVM4WPFSXBEP2JS3R6LMKRTLFC/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XMDCWRQXJQ3TFSETPCEFMQ6RR6ME5UA3", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XMDCWRQXJQ3TFSETPCEFMQ6RR6ME5UA3" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XMDCWRQXJQ3TFSETPCEFMQ6RR6ME5UA3/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XMDCWRQXJQ3TFSETPCEFMQ6RR6ME5UA3/" }, { "reference_url": "https://support.apple.com/kb/HT213532", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://support.apple.com/kb/HT213532" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009787", "reference_id": "1009787", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009787" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2074346", "reference_id": "2074346", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2074346" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24836", "reference_id": "CVE-2022-24836", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24836" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2022-24836.yml", "reference_id": "CVE-2022-24836.YML", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2022-24836.yml" }, { "reference_url": "https://github.com/advisories/GHSA-crjr-9rc5-ghw8", "reference_id": "GHSA-crjr-9rc5-ghw8", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-crjr-9rc5-ghw8" }, { "reference_url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-crjr-9rc5-ghw8", "reference_id": "GHSA-crjr-9rc5-ghw8", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-crjr-9rc5-ghw8" }, { "reference_url": "https://security.gentoo.org/glsa/202208-29", "reference_id": "GLSA-202208-29", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.gentoo.org/glsa/202208-29" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:8506", "reference_id": "RHSA-2022:8506", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:8506" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/19854?format=api", "purl": "pkg:gem/nokogiri@1.13.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14st-5sfb-jfhk" }, { "vulnerability": "VCID-47qk-3n97-wfb7" }, { "vulnerability": "VCID-49ww-fg7b-zugq" }, { "vulnerability": "VCID-8ftz-ajmp-jba8" }, { "vulnerability": "VCID-bfux-puuz-p3fb" }, { "vulnerability": "VCID-dbue-58uu-ybaz" }, { "vulnerability": "VCID-df5z-dpbb-r7cv" }, { "vulnerability": "VCID-g8h5-nbxj-y7fe" }, { "vulnerability": "VCID-gbwe-1wq8-83bf" }, { "vulnerability": "VCID-m2bp-rxcw-myg9" }, { "vulnerability": "VCID-tntw-mt23-k7gh" }, { "vulnerability": "VCID-umph-eaje-7khu" }, { "vulnerability": "VCID-vfgg-89r3-aueu" }, { "vulnerability": "VCID-w48v-grqb-u3gz" }, { "vulnerability": "VCID-w7rs-2k33-huft" }, { "vulnerability": "VCID-xsrn-bd5u-2ufz" }, { "vulnerability": "VCID-z2bq-warv-47c1" }, { "vulnerability": "VCID-zntu-4vu6-rkbt" }, { "vulnerability": "VCID-zyww-4npa-gkeq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.13.4" } ], "aliases": [ "CVE-2022-24836", "GHSA-crjr-9rc5-ghw8" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nscm-fqz2-fbge" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/208748?format=api", "vulnerability_id": "VCID-pqm3-2t49-rqat", "summary": "Denial of Service (DoS) in Nokogiri on JRuby", "references": [ { "reference_url": "https://github.com/sparklemotion/nokogiri", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri" }, { "reference_url": "https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.4", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.4" }, { "reference_url": "https://groups.google.com/g/ruby-security-ann/c/vX7qSjsvWis/m/TJWN4oOKBwAJ", "reference_id": "", "reference_type": "", "scores": [], "url": "https://groups.google.com/g/ruby-security-ann/c/vX7qSjsvWis/m/TJWN4oOKBwAJ" }, { "reference_url": "https://groups.google.com/g/ruby-security-ann/c/vX7qSjsvWis/m/TJWN4oOKBwAJ?utm_medium=email&utm_source=footer", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://groups.google.com/g/ruby-security-ann/c/vX7qSjsvWis/m/TJWN4oOKBwAJ?utm_medium=email&utm_source=footer" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24839", "reference_id": "CVE-2022-24839", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24839" }, { "reference_url": "https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv", "reference_id": "GHSA-9849-p7jc-9rmv", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv" }, { "reference_url": "https://github.com/advisories/GHSA-gx8x-g87m-h5q6", "reference_id": "GHSA-gx8x-g87m-h5q6", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gx8x-g87m-h5q6" }, { "reference_url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-gx8x-g87m-h5q6", "reference_id": "GHSA-gx8x-g87m-h5q6", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-gx8x-g87m-h5q6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/19854?format=api", "purl": "pkg:gem/nokogiri@1.13.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14st-5sfb-jfhk" }, { "vulnerability": "VCID-47qk-3n97-wfb7" }, { "vulnerability": "VCID-49ww-fg7b-zugq" }, { "vulnerability": "VCID-8ftz-ajmp-jba8" }, { "vulnerability": "VCID-bfux-puuz-p3fb" }, { "vulnerability": "VCID-dbue-58uu-ybaz" }, { "vulnerability": "VCID-df5z-dpbb-r7cv" }, { "vulnerability": "VCID-g8h5-nbxj-y7fe" }, { "vulnerability": "VCID-gbwe-1wq8-83bf" }, { "vulnerability": "VCID-m2bp-rxcw-myg9" }, { "vulnerability": "VCID-tntw-mt23-k7gh" }, { "vulnerability": "VCID-umph-eaje-7khu" }, { "vulnerability": "VCID-vfgg-89r3-aueu" }, { "vulnerability": "VCID-w48v-grqb-u3gz" }, { "vulnerability": "VCID-w7rs-2k33-huft" }, { "vulnerability": "VCID-xsrn-bd5u-2ufz" }, { "vulnerability": "VCID-z2bq-warv-47c1" }, { "vulnerability": "VCID-zntu-4vu6-rkbt" }, { "vulnerability": "VCID-zyww-4npa-gkeq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.13.4" } ], "aliases": [ "GHSA-gx8x-g87m-h5q6", "GMS-2022-786" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pqm3-2t49-rqat" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/5388?format=api", "vulnerability_id": "VCID-s2mc-whzr-sbb8", "summary": "", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-25032.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-25032.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2018-25032", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00089", "scoring_system": "epss", "scoring_elements": "0.25585", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00089", "scoring_system": "epss", "scoring_elements": "0.256", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00089", "scoring_system": "epss", "scoring_elements": "0.25582", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00089", "scoring_system": "epss", "scoring_elements": "0.25385", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2018-25032" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-25032", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-25032" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DCZFIJBJTZ7CL5QXBFKTQ22Q26VINRUF", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DCZFIJBJTZ7CL5QXBFKTQ22Q26VINRUF" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DCZFIJBJTZ7CL5QXBFKTQ22Q26VINRUF/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DCZFIJBJTZ7CL5QXBFKTQ22Q26VINRUF/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DF62MVMH3QUGMBDCB3DY2ERQ6EBHTADB", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DF62MVMH3QUGMBDCB3DY2ERQ6EBHTADB" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DF62MVMH3QUGMBDCB3DY2ERQ6EBHTADB/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DF62MVMH3QUGMBDCB3DY2ERQ6EBHTADB/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JZZPTWRYQULAOL3AW7RZJNVZ2UONXCV4", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JZZPTWRYQULAOL3AW7RZJNVZ2UONXCV4" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JZZPTWRYQULAOL3AW7RZJNVZ2UONXCV4/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JZZPTWRYQULAOL3AW7RZJNVZ2UONXCV4/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NS2D2GFPFGOJUL4WQ3DUAY7HF4VWQ77F", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NS2D2GFPFGOJUL4WQ3DUAY7HF4VWQ77F" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NS2D2GFPFGOJUL4WQ3DUAY7HF4VWQ77F/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NS2D2GFPFGOJUL4WQ3DUAY7HF4VWQ77F/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOKNP2L734AEL47NRYGVZIKEFOUBQY5Y", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOKNP2L734AEL47NRYGVZIKEFOUBQY5Y" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOKNP2L734AEL47NRYGVZIKEFOUBQY5Y/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOKNP2L734AEL47NRYGVZIKEFOUBQY5Y/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XOKFMSNQ5D5WGMALBNBXU3GE442V74WU", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XOKFMSNQ5D5WGMALBNBXU3GE442V74WU" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XOKFMSNQ5D5WGMALBNBXU3GE442V74WU/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XOKFMSNQ5D5WGMALBNBXU3GE442V74WU/" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20220526-0009", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.netapp.com/advisory/ntap-20220526-0009" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20220729-0004", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.netapp.com/advisory/ntap-20220729-0004" }, { "reference_url": "https://www.openwall.com/lists/oss-security/2022/03/24/1", "reference_id": "1", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:30:25Z/" } ], "url": "https://www.openwall.com/lists/oss-security/2022/03/24/1" }, { "reference_url": "https://www.openwall.com/lists/oss-security/2022/03/28/1", "reference_id": "1", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:30:25Z/" } ], "url": "https://www.openwall.com/lists/oss-security/2022/03/28/1" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2022/03/26/1", "reference_id": "1", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:30:25Z/" } ], "url": "http://www.openwall.com/lists/oss-security/2022/03/26/1" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008265", "reference_id": "1008265", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008265" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2022/03/25/2", "reference_id": "2", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:30:25Z/" } ], "url": "http://www.openwall.com/lists/oss-security/2022/03/25/2" }, { "reference_url": "https://security.gentoo.org/glsa/202210-42", "reference_id": "202210-42", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:30:25Z/" } ], "url": "https://security.gentoo.org/glsa/202210-42" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2067945", "reference_id": "2067945", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2067945" }, { "reference_url": "https://www.openwall.com/lists/oss-security/2022/03/28/3", "reference_id": "3", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:30:25Z/" } ], "url": "https://www.openwall.com/lists/oss-security/2022/03/28/3" }, { "reference_url": "http://seclists.org/fulldisclosure/2022/May/33", "reference_id": "33", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:30:25Z/" } ], "url": "http://seclists.org/fulldisclosure/2022/May/33" }, { "reference_url": "http://seclists.org/fulldisclosure/2022/May/35", "reference_id": "35", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:30:25Z/" } ], "url": "http://seclists.org/fulldisclosure/2022/May/35" }, { "reference_url": "http://seclists.org/fulldisclosure/2022/May/38", "reference_id": "38", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:30:25Z/" } ], "url": "http://seclists.org/fulldisclosure/2022/May/38" }, { "reference_url": "https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531", "reference_id": "5c44459c3b28a9bd3283aaceab7c615f8020c531", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:30:25Z/" } ], "url": "https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531" }, { "reference_url": "https://github.com/madler/zlib/issues/605", "reference_id": "605", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:30:25Z/" } ], "url": "https://github.com/madler/zlib/issues/605" }, { "reference_url": "https://security.archlinux.org/ASA-202204-3", "reference_id": "ASA-202204-3", "reference_type": "", "scores": [], "url": "https://security.archlinux.org/ASA-202204-3" }, { "reference_url": "https://security.archlinux.org/AVG-2657", "reference_id": "AVG-2657", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2657" }, { "reference_url": "https://www.oracle.com/security-alerts/cpujul2022.html", "reference_id": "cpujul2022.html", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:30:25Z/" } ], "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2018-25032", "reference_id": "CVE-2018-25032", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-25032" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2018-25032.yml", "reference_id": "CVE-2018-25032.YML", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2018-25032.yml" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DCZFIJBJTZ7CL5QXBFKTQ22Q26VINRUF/", "reference_id": "DCZFIJBJTZ7CL5QXBFKTQ22Q26VINRUF", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:30:25Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DCZFIJBJTZ7CL5QXBFKTQ22Q26VINRUF/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DF62MVMH3QUGMBDCB3DY2ERQ6EBHTADB/", "reference_id": "DF62MVMH3QUGMBDCB3DY2ERQ6EBHTADB", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:30:25Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DF62MVMH3QUGMBDCB3DY2ERQ6EBHTADB/" }, { "reference_url": "https://www.debian.org/security/2022/dsa-5111", "reference_id": "dsa-5111", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:30:25Z/" } ], "url": "https://www.debian.org/security/2022/dsa-5111" }, { "reference_url": "https://github.com/advisories/GHSA-jc36-42cf-vqwj", "reference_id": "GHSA-jc36-42cf-vqwj", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jc36-42cf-vqwj" }, { "reference_url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v6gp-9mmm-c6p5", "reference_id": "GHSA-v6gp-9mmm-c6p5", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v6gp-9mmm-c6p5" }, { "reference_url": "https://security.gentoo.org/glsa/202405-22", "reference_id": "GLSA-202405-22", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/202405-22" }, { "reference_url": "https://support.apple.com/kb/HT213255", "reference_id": "HT213255", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:30:25Z/" } ], "url": "https://support.apple.com/kb/HT213255" }, { "reference_url": "https://support.apple.com/kb/HT213256", "reference_id": "HT213256", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:30:25Z/" } ], "url": "https://support.apple.com/kb/HT213256" }, { "reference_url": "https://support.apple.com/kb/HT213257", "reference_id": "HT213257", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:30:25Z/" } ], "url": "https://support.apple.com/kb/HT213257" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JZZPTWRYQULAOL3AW7RZJNVZ2UONXCV4/", "reference_id": "JZZPTWRYQULAOL3AW7RZJNVZ2UONXCV4", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:30:25Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JZZPTWRYQULAOL3AW7RZJNVZ2UONXCV4/" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00000.html", "reference_id": "msg00000.html", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:30:25Z/" } ], "url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00000.html" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00008.html", "reference_id": "msg00008.html", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:30:25Z/" } ], "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00008.html" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html", "reference_id": "msg00023.html", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:30:25Z/" } ], "url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NS2D2GFPFGOJUL4WQ3DUAY7HF4VWQ77F/", "reference_id": "NS2D2GFPFGOJUL4WQ3DUAY7HF4VWQ77F", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:30:25Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NS2D2GFPFGOJUL4WQ3DUAY7HF4VWQ77F/" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20220526-0009/", "reference_id": "ntap-20220526-0009", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:30:25Z/" } ], "url": "https://security.netapp.com/advisory/ntap-20220526-0009/" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20220729-0004/", "reference_id": "ntap-20220729-0004", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:30:25Z/" } ], "url": "https://security.netapp.com/advisory/ntap-20220729-0004/" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:1591", "reference_id": "RHSA-2022:1591", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:1591" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:1642", "reference_id": "RHSA-2022:1642", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:1642" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:1661", "reference_id": "RHSA-2022:1661", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:1661" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:2192", "reference_id": "RHSA-2022:2192", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:2192" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:2197", "reference_id": "RHSA-2022:2197", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:2197" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:2198", "reference_id": "RHSA-2022:2198", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:2198" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:2201", "reference_id": "RHSA-2022:2201", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:2201" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:2213", "reference_id": "RHSA-2022:2213", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:2213" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:2214", "reference_id": "RHSA-2022:2214", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:2214" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:4584", "reference_id": "RHSA-2022:4584", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:4584" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:4592", "reference_id": "RHSA-2022:4592", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:4592" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:4845", "reference_id": "RHSA-2022:4845", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:4845" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:4896", "reference_id": "RHSA-2022:4896", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:4896" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:5439", "reference_id": "RHSA-2022:5439", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:5439" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:7144", "reference_id": "RHSA-2022:7144", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:7144" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:7813", "reference_id": "RHSA-2022:7813", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:7813" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:8420", "reference_id": "RHSA-2022:8420", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:8420" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:0943", "reference_id": "RHSA-2023:0943", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:0943" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:0975", "reference_id": "RHSA-2023:0975", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:0975" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:0976", "reference_id": "RHSA-2023:0976", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:0976" }, { "reference_url": "https://cert-portal.siemens.com/productcert/pdf/ssa-333517.pdf", "reference_id": "ssa-333517.pdf", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:30:25Z/" } ], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-333517.pdf" }, { "reference_url": "https://usn.ubuntu.com/5355-1/", "reference_id": "USN-5355-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/5355-1/" }, { "reference_url": "https://usn.ubuntu.com/5355-2/", "reference_id": "USN-5355-2", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/5355-2/" }, { "reference_url": "https://usn.ubuntu.com/5359-1/", "reference_id": "USN-5359-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/5359-1/" }, { "reference_url": "https://usn.ubuntu.com/5359-2/", "reference_id": "USN-5359-2", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/5359-2/" }, { "reference_url": "https://usn.ubuntu.com/5739-1/", "reference_id": "USN-5739-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/5739-1/" }, { "reference_url": "https://usn.ubuntu.com/6736-1/", "reference_id": "USN-6736-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/6736-1/" }, { "reference_url": "https://usn.ubuntu.com/6736-2/", "reference_id": "USN-6736-2", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/6736-2/" }, { "reference_url": "https://github.com/madler/zlib/compare/v1.2.11...v1.2.12", "reference_id": "v1.2.11...v1.2.12", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:30:25Z/" } ], "url": "https://github.com/madler/zlib/compare/v1.2.11...v1.2.12" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VOKNP2L734AEL47NRYGVZIKEFOUBQY5Y/", "reference_id": "VOKNP2L734AEL47NRYGVZIKEFOUBQY5Y", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:30:25Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VOKNP2L734AEL47NRYGVZIKEFOUBQY5Y/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XOKFMSNQ5D5WGMALBNBXU3GE442V74WU/", "reference_id": "XOKFMSNQ5D5WGMALBNBXU3GE442V74WU", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:30:25Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XOKFMSNQ5D5WGMALBNBXU3GE442V74WU/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/19854?format=api", "purl": "pkg:gem/nokogiri@1.13.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14st-5sfb-jfhk" }, { "vulnerability": "VCID-47qk-3n97-wfb7" }, { "vulnerability": "VCID-49ww-fg7b-zugq" }, { "vulnerability": "VCID-8ftz-ajmp-jba8" }, { "vulnerability": "VCID-bfux-puuz-p3fb" }, { "vulnerability": "VCID-dbue-58uu-ybaz" }, { "vulnerability": "VCID-df5z-dpbb-r7cv" }, { "vulnerability": "VCID-g8h5-nbxj-y7fe" }, { "vulnerability": "VCID-gbwe-1wq8-83bf" }, { "vulnerability": "VCID-m2bp-rxcw-myg9" }, { "vulnerability": "VCID-tntw-mt23-k7gh" }, { "vulnerability": "VCID-umph-eaje-7khu" }, { "vulnerability": "VCID-vfgg-89r3-aueu" }, { "vulnerability": "VCID-w48v-grqb-u3gz" }, { "vulnerability": "VCID-w7rs-2k33-huft" }, { "vulnerability": "VCID-xsrn-bd5u-2ufz" }, { "vulnerability": "VCID-z2bq-warv-47c1" }, { "vulnerability": "VCID-zntu-4vu6-rkbt" }, { "vulnerability": "VCID-zyww-4npa-gkeq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.13.4" } ], "aliases": [ "CVE-2018-25032", "GHSA-jc36-42cf-vqwj" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-s2mc-whzr-sbb8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359434?format=api", "vulnerability_id": "VCID-tntw-mt23-k7gh", "summary": "Nokogiri XSLT transform has a memory leak\n## Summary\n\nNokogiri's `Nokogiri::XSLT::Stylesheet#transform` leaks a small heap allocation when passed a Ruby string parameter containing a null byte.\n\nFor applications that pass attacker-controlled input through `XSLT.transform` parameters, this may be a vector for a denial of service attack against long-running processes.\n\n\n## Mitigation\n\nUpgrade to Nokogiri `>= 1.19.3`.\n\nUsers may also be able to mitigate this issue without upgrading by validating untrusted transform parameters before passing them to `Nokogiri::XSLT::Stylesheet#transform`.\n\n\n## Severity\n\nThe Nokogiri maintainers have evaluated this as **Moderate Severity**, CVSS 5.3.\n\nEach leaked allocation is approximately 24–32 bytes, so meaningful memory growth requires sustained attacker-controlled traffic at high call rates. The bug does not cause memory corruption, information disclosure, or any change in the behavior of the transform itself, and the string-handling exception is raised as expected.\n\nApplications that do not pass raw attacker-controlled bytes to XSLT parameters are unlikely to be affected in practice.\n\n\n## Resources\n\n- [CWE-401: Missing Release of Memory after Effective Lifetime](https://cwe.mitre.org/data/definitions/401.html)\n\n\n## Credit\n\nThis vulnerability was responsibly reported by @Captainjack-kor.", "references": [ { "reference_url": "https://github.com/sparklemotion/nokogiri", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri" }, { "reference_url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v2fc-qm4h-8hqv", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v2fc-qm4h-8hqv" }, { "reference_url": "https://github.com/advisories/GHSA-v2fc-qm4h-8hqv", "reference_id": "GHSA-v2fc-qm4h-8hqv", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-v2fc-qm4h-8hqv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375402?format=api", "purl": "pkg:gem/nokogiri@1.19.3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.19.3" } ], "aliases": [ "GHSA-v2fc-qm4h-8hqv" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-tntw-mt23-k7gh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359431?format=api", "vulnerability_id": "VCID-umph-eaje-7khu", "summary": "Nokogiri updates packaged libxml2 to v2.13.8 to resolve CVE-2025-32414 and CVE-2025-32415\n## Summary\n\nNokogiri v1.18.8 upgrades its dependency libxml2 to\n[v2.13.8](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.8).\n\nlibxml2 v2.13.8 addresses:\n\n- CVE-2025-32414\n - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/889\n- CVE-2025-32415\n - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/890\n\n## Impact\n\n### CVE-2025-32414: No impact\n\nIn libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds\nmemory access can occur in the Python API (Python bindings) because\nof an incorrect return value. This occurs in xmlPythonFileRead and\nxmlPythonFileReadRaw because of a difference between bytes and characters.\n\n**There is no impact** from this CVE for Nokogiri users.\n\n### CVE-2025-32415: Low impact\n\nIn libxml2 before 2.13.8 and 2.14.x before 2.14.2,\nxmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer\nunder-read. To exploit this, a crafted XML document must be validated\nagainst an XML schema with certain identity constraints, or a\ncrafted XML schema must be used.\n\nIn the upstream issue, further context is provided by the maintainer:\n\n> The bug affects validation against untrusted XML Schemas (.xsd)\n> and validation of untrusted documents against trusted Schemas if\n> they make use of xsd:keyref in combination with recursively\n> defined types that have additional identity constraints.\n\nMITRE has published a severity score of 2.9 LOW\n(CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) for this CVE.", "references": [ { "reference_url": "https://github.com/sparklemotion/nokogiri", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri" }, { "reference_url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-5w6v-399v-w3cc", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-5w6v-399v-w3cc" }, { "reference_url": "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.8", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.8" }, { "reference_url": "https://github.com/advisories/GHSA-5w6v-399v-w3cc", "reference_id": "GHSA-5w6v-399v-w3cc", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5w6v-399v-w3cc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/376551?format=api", "purl": "pkg:gem/nokogiri@1.18.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-m2bp-rxcw-myg9" }, { "vulnerability": "VCID-tntw-mt23-k7gh" }, { "vulnerability": "VCID-vfgg-89r3-aueu" }, { "vulnerability": "VCID-w48v-grqb-u3gz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.18.8" } ], "aliases": [ "GHSA-5w6v-399v-w3cc" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-umph-eaje-7khu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/208747?format=api", "vulnerability_id": "VCID-v47q-qyuj-gba7", "summary": "XML Injection in Xerces Java affects Nokogiri", "references": [ { "reference_url": "https://github.com/sparklemotion/nokogiri", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri" }, { "reference_url": "https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.4", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.4" }, { "reference_url": "https://groups.google.com/g/ruby-security-ann/c/vX7qSjsvWis/m/TJWN4oOKBwAJ?utm_medium=email&utm_source=footer", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://groups.google.com/g/ruby-security-ann/c/vX7qSjsvWis/m/TJWN4oOKBwAJ?utm_medium=email&utm_source=footer" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23437", "reference_id": "CVE-2022-23437", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23437" }, { "reference_url": "https://github.com/advisories/GHSA-h65f-jvqw-m9fj", "reference_id": "GHSA-h65f-jvqw-m9fj", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-h65f-jvqw-m9fj" }, { "reference_url": "https://github.com/advisories/GHSA-xxx9-3xcr-gjj3", "reference_id": "GHSA-xxx9-3xcr-gjj3", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-xxx9-3xcr-gjj3" }, { "reference_url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xxx9-3xcr-gjj3", "reference_id": "GHSA-xxx9-3xcr-gjj3", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xxx9-3xcr-gjj3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/19854?format=api", "purl": "pkg:gem/nokogiri@1.13.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14st-5sfb-jfhk" }, { "vulnerability": "VCID-47qk-3n97-wfb7" }, { "vulnerability": "VCID-49ww-fg7b-zugq" }, { "vulnerability": "VCID-8ftz-ajmp-jba8" }, { "vulnerability": "VCID-bfux-puuz-p3fb" }, { "vulnerability": "VCID-dbue-58uu-ybaz" }, { "vulnerability": "VCID-df5z-dpbb-r7cv" }, { "vulnerability": "VCID-g8h5-nbxj-y7fe" }, { "vulnerability": "VCID-gbwe-1wq8-83bf" }, { "vulnerability": "VCID-m2bp-rxcw-myg9" }, { "vulnerability": "VCID-tntw-mt23-k7gh" }, { "vulnerability": "VCID-umph-eaje-7khu" }, { "vulnerability": "VCID-vfgg-89r3-aueu" }, { "vulnerability": "VCID-w48v-grqb-u3gz" }, { "vulnerability": "VCID-w7rs-2k33-huft" }, { "vulnerability": "VCID-xsrn-bd5u-2ufz" }, { "vulnerability": "VCID-z2bq-warv-47c1" }, { "vulnerability": "VCID-zntu-4vu6-rkbt" }, { "vulnerability": "VCID-zyww-4npa-gkeq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.13.4" } ], "aliases": [ "GHSA-xxx9-3xcr-gjj3", "GMS-2022-788" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-v47q-qyuj-gba7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359437?format=api", "vulnerability_id": "VCID-vfgg-89r3-aueu", "summary": "Nokogiri patches vendored libxml2 to resolve multiple CVEs\n## Summary\n\nNokogiri v1.18.9 patches the vendored libxml2 to address\nCVE-2025-6021, CVE-2025-6170, CVE-2025-49794, CVE-2025-49795,\nand CVE-2025-49796.\n\n## Impact and severity\n\n### CVE-2025-6021\n\nA flaw was found in libxml2's xmlBuildQName function, where integer\noverflows in buffer size calculations can lead to a stack-based\nbuffer overflow. This issue can result in memory corruption or a\ndenial of service when processing crafted input.\n\nNVD claims a severity of 7.5 High\n(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\nFixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/17d950ae\n\n### CVE-2025-6170\n\nA flaw was found in the interactive shell of the xmllint command-line\ntool, used for parsing XML files. When a user inputs an overly long\ncommand, the program does not check the input size properly, which\ncan cause it to crash. This issue might allow attackers to run\nharmful code in rare configurations without modern protections.\n\nNVD claims a severity of 2.5 Low\n(CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\nFixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/5e9ec5c1\n\n### CVE-2025-49794\n\nA use-after-free vulnerability was found in libxml2. This issue\noccurs when parsing XPath elements under certain circumstances when\nthe XML schematron has the <sch:name path=\"...\"/> schema elements.\nThis flaw allows a malicious actor to craft a malicious XML document\nused as input for libxml, resulting in the program's crash using\nlibxml or other possible undefined behaviors.\n\nNVD claims a severity of 9.1 Critical\n(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H)\n\nFixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/81cef8c5\n\n### CVE-2025-49795\n\nA NULL pointer dereference vulnerability was found in libxml2 when\nprocessing XPath XML expressions. This flaw allows an attacker to\ncraft a malicious XML input to libxml2, leading to a denial of service.\n\nNVD claims a severity of 7.5 High\n(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\nFixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/62048278\n\n### CVE-2025-49796\n\nA vulnerability was found in libxml2. Processing certain sch:name\nelements from the input XML file can trigger a memory corruption\nissue. This flaw allows an attacker to craft a malicious XML input\nfile that can lead libxml to crash, resulting in a denial of service\nor other possible undefined behavior due to sensitive data being\ncorrupted in memory.\n\nNVD claims a severity of 9.1 Critical\n(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H)\n\nFixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/81cef8c5\n\n## Affected Versions\n\n- Nokogiri < 1.18.9 when using CRuby (MRI) with vendored libxml2\n\n## Patched Versions\n\n- Nokogiri >= 1.18.9\n\n## Mitigation\n\nUpgrade to Nokogiri v1.18.9 or later.\n\nUsers who are unable to upgrade Nokogiri may also choose a more\ncomplicated mitigation: compile and link Nokogiri against patched\nexternal libxml2 libraries which will also address these same issues.", "references": [ { "reference_url": "https://github.com/sparklemotion/nokogiri", "reference_id": "", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri" }, { "reference_url": "https://github.com/sparklemotion/nokogiri/pull/3526", "reference_id": "", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri/pull/3526" }, { "reference_url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-353f-x4gh-cqq8", "reference_id": "", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-353f-x4gh-cqq8" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49794", "reference_id": "", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49794" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49795", "reference_id": "", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49795" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49796", "reference_id": "", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49796" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6021", "reference_id": "", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6021" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6170", "reference_id": "", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6170" }, { "reference_url": "https://github.com/advisories/GHSA-353f-x4gh-cqq8", "reference_id": "GHSA-353f-x4gh-cqq8", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-353f-x4gh-cqq8" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/378377?format=api", "purl": "pkg:gem/nokogiri@1.18.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-m2bp-rxcw-myg9" }, { "vulnerability": "VCID-tntw-mt23-k7gh" }, { "vulnerability": "VCID-w48v-grqb-u3gz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.18.9" } ], "aliases": [ "GHSA-353f-x4gh-cqq8" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vfgg-89r3-aueu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359432?format=api", "vulnerability_id": "VCID-w48v-grqb-u3gz", "summary": "Nokogiri CSS selector tokenizer has regular expression backtracking\n## Summary\n\nNokogiri's CSS selector tokenizer contains regular expressions whose construction may result in exponential regex backtracking on adversarial selectors. Three ReDoS vectors are addressed in this release:\n\n1. String-literal tokenization on certain unterminated quoted-string input.\n2. String-literal tokenization on a separate class of hex-escape-rich input.\n3. Identifier tokenization on hex-escape-rich input.\n\nThe public CSS selector methods that funnel through the affected tokenizer are `Nokogiri::CSS.xpath_for`, `Node#css`, `Node#at_css`, `Searchable#search`, and `CSS::Parser#parse`.\n\n\n## Mitigation\n\nUpgrade to Nokogiri `>= 1.19.3`.\n\nIf users are unable to upgrade, two options are available:\n\n- Avoid the use of attacker-controlled text in CSS selectors. Applications that only pass developer-authored selectors to Nokogiri are not directly exposed.\n- Set global `Regexp.timeout` (Ruby 3.2+, JRuby 9.4+) to bound parse time.\n\n## Severity\n\nThe Nokogiri maintainers have evaluated this as **High Severity** (CVSS 7.5, `AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`).\n\nAn attacker able to inject user-supplied text into a CSS selector parse method can cause exponential backtracking, resulting in a potential denial of service.\n\n\n## Resources\n\n- [CWE-1333: Inefficient Regular Expression Complexity](https://cwe.mitre.org/data/definitions/1333.html)\n\n\n## Credit\n\nVector 1 was responsibly reported by @colby-swandale. Vectors 2 and 3 were discovered by @flavorjones during the response to the original report.", "references": [ { "reference_url": "https://github.com/sparklemotion/nokogiri", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri" }, { "reference_url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-c4rq-3m3g-8wgx", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-c4rq-3m3g-8wgx" }, { "reference_url": "https://github.com/advisories/GHSA-c4rq-3m3g-8wgx", "reference_id": "GHSA-c4rq-3m3g-8wgx", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-c4rq-3m3g-8wgx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375402?format=api", "purl": "pkg:gem/nokogiri@1.19.3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.19.3" } ], "aliases": [ "GHSA-c4rq-3m3g-8wgx" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-w48v-grqb-u3gz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/211765?format=api", "vulnerability_id": "VCID-w7rs-2k33-huft", "summary": "Nokogiri updates packaged libxml2 to v2.12.7 to resolve CVE-2024-34459", "references": [ { "reference_url": "https://github.com/sparklemotion/nokogiri", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri" }, { "reference_url": "https://github.com/sparklemotion/nokogiri/releases/tag/v1.16.5", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri/releases/tag/v1.16.5" }, { "reference_url": "https://gitlab.gnome.org/GNOME/libxml2/-/commit/2876ac53", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://gitlab.gnome.org/GNOME/libxml2/-/commit/2876ac53" }, { "reference_url": "https://github.com/advisories/GHSA-r95h-9x8f-r3f7", "reference_id": "GHSA-r95h-9x8f-r3f7", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-r95h-9x8f-r3f7" }, { "reference_url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-r95h-9x8f-r3f7", "reference_id": "GHSA-r95h-9x8f-r3f7", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-r95h-9x8f-r3f7" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/GHSA-r95h-9x8f-r3f7.yml", "reference_id": "GHSA-r95h-9x8f-r3f7.yml", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/GHSA-r95h-9x8f-r3f7.yml" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/31006?format=api", "purl": "pkg:gem/nokogiri@1.16.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14st-5sfb-jfhk" }, { "vulnerability": "VCID-bfux-puuz-p3fb" }, { "vulnerability": "VCID-m2bp-rxcw-myg9" }, { "vulnerability": "VCID-tntw-mt23-k7gh" }, { "vulnerability": "VCID-umph-eaje-7khu" }, { "vulnerability": "VCID-vfgg-89r3-aueu" }, { "vulnerability": "VCID-w48v-grqb-u3gz" }, { "vulnerability": "VCID-xsrn-bd5u-2ufz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.16.5" } ], "aliases": [ "GHSA-r95h-9x8f-r3f7" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-w7rs-2k33-huft" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360585?format=api", "vulnerability_id": "VCID-xsrn-bd5u-2ufz", "summary": "Duplicate Advisory: Nokogiri updates packaged libxml2 to 2.13.6 to resolve CVE-2025-24928 and CVE-2024-56171\n# Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-vvfq-8hwr-qm4m. This link is maintained to preserve external references.\n\n# Original Description\n\n## Summary\n\nNokogiri v1.18.3 upgrades its dependency libxml2 to\n[v2.13.6](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.6).\n\nlibxml2 v2.13.6 addresses:\n\n- CVE-2025-24928\n - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/847\n- CVE-2024-56171\n - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/828\n\n## Impact\n\n### CVE-2025-24928\n\nStack-buffer overflow is possible when reporting DTD validation\nerrors if the input contains a long (~3kb) QName prefix.\n\n### CVE-2024-56171\n\nUse-after-free is possible during validation against untrusted\nXML Schemas (.xsd) and, potentially, validation of untrusted documents\nagainst trusted Schemas if they make use of `xsd:keyref` in combination\nwith recursively defined types that have additional identity constraints.", "references": [ { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/GHSA-vvfq-8hwr-qm4m.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/GHSA-vvfq-8hwr-qm4m.yml" }, { "reference_url": "https://github.com/sparklemotion/nokogiri", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri" }, { "reference_url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vvfq-8hwr-qm4m", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vvfq-8hwr-qm4m" }, { "reference_url": "https://github.com/advisories/GHSA-5mwf-688x-mr7x", "reference_id": "GHSA-5mwf-688x-mr7x", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5mwf-688x-mr7x" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/377245?format=api", "purl": "pkg:gem/nokogiri@1.18.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-bfux-puuz-p3fb" }, { "vulnerability": "VCID-m2bp-rxcw-myg9" }, { "vulnerability": "VCID-tntw-mt23-k7gh" }, { "vulnerability": "VCID-umph-eaje-7khu" }, { "vulnerability": "VCID-vfgg-89r3-aueu" }, { "vulnerability": "VCID-w48v-grqb-u3gz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.18.3" } ], "aliases": [ "GHSA-5mwf-688x-mr7x" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xsrn-bd5u-2ufz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/208286?format=api", "vulnerability_id": "VCID-yr3x-bvad-mfcc", "summary": "Vulnerable dependencies in Nokogiri", "references": [ { "reference_url": "https://github.com/sparklemotion/nokogiri", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri" }, { "reference_url": "https://github.com/advisories/GHSA-fq42-c5rg-92c2", "reference_id": "GHSA-fq42-c5rg-92c2", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-fq42-c5rg-92c2" }, { "reference_url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-fq42-c5rg-92c2", "reference_id": "GHSA-fq42-c5rg-92c2", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-fq42-c5rg-92c2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/19515?format=api", "purl": "pkg:gem/nokogiri@1.13.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14st-5sfb-jfhk" }, { "vulnerability": "VCID-47qk-3n97-wfb7" }, { "vulnerability": "VCID-49ww-fg7b-zugq" }, { "vulnerability": "VCID-8ftz-ajmp-jba8" }, { "vulnerability": "VCID-bfux-puuz-p3fb" }, { "vulnerability": "VCID-dbue-58uu-ybaz" }, { "vulnerability": "VCID-df5z-dpbb-r7cv" }, { "vulnerability": "VCID-g8h5-nbxj-y7fe" }, { "vulnerability": "VCID-gbwe-1wq8-83bf" }, { "vulnerability": "VCID-m2bp-rxcw-myg9" }, { "vulnerability": "VCID-m3bc-ah2t-p3b4" }, { "vulnerability": "VCID-nscm-fqz2-fbge" }, { "vulnerability": "VCID-pqm3-2t49-rqat" }, { "vulnerability": "VCID-s2mc-whzr-sbb8" }, { "vulnerability": "VCID-tntw-mt23-k7gh" }, { "vulnerability": "VCID-umph-eaje-7khu" }, { "vulnerability": "VCID-v47q-qyuj-gba7" }, { "vulnerability": "VCID-vfgg-89r3-aueu" }, { "vulnerability": "VCID-w48v-grqb-u3gz" }, { "vulnerability": "VCID-w7rs-2k33-huft" }, { "vulnerability": "VCID-xsrn-bd5u-2ufz" }, { "vulnerability": "VCID-z2bq-warv-47c1" }, { "vulnerability": "VCID-zntu-4vu6-rkbt" }, { "vulnerability": "VCID-zyww-4npa-gkeq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.13.2" } ], "aliases": [ "GHSA-fq42-c5rg-92c2", "GMS-2022-163" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-yr3x-bvad-mfcc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/211769?format=api", "vulnerability_id": "VCID-z2bq-warv-47c1", "summary": "Duplicate Advisory: Nokogiri updates packaged libxml2 to v2.12.7 to resolve CVE-2024-34459", "references": [ { "reference_url": "https://github.com/sparklemotion/nokogiri", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri" }, { "reference_url": "https://github.com/advisories/GHSA-r3w4-36x6-7r99", "reference_id": "GHSA-r3w4-36x6-7r99", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-r3w4-36x6-7r99" }, { "reference_url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-r95h-9x8f-r3f7", "reference_id": "GHSA-r95h-9x8f-r3f7", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-r95h-9x8f-r3f7" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/GHSA-r95h-9x8f-r3f7.yml", "reference_id": "GHSA-r95h-9x8f-r3f7.yml", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/GHSA-r95h-9x8f-r3f7.yml" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/31006?format=api", "purl": "pkg:gem/nokogiri@1.16.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14st-5sfb-jfhk" }, { "vulnerability": "VCID-bfux-puuz-p3fb" }, { "vulnerability": "VCID-m2bp-rxcw-myg9" }, { "vulnerability": "VCID-tntw-mt23-k7gh" }, { "vulnerability": "VCID-umph-eaje-7khu" }, { "vulnerability": "VCID-vfgg-89r3-aueu" }, { "vulnerability": "VCID-w48v-grqb-u3gz" }, { "vulnerability": "VCID-xsrn-bd5u-2ufz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.16.5" } ], "aliases": [ "GHSA-r3w4-36x6-7r99" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-z2bq-warv-47c1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359436?format=api", "vulnerability_id": "VCID-zntu-4vu6-rkbt", "summary": "Integer Overflow or Wraparound in libxml2 affects Nokogiri\n### Summary\n\nNokogiri v1.13.5 upgrades the packaged version of its dependency libxml2 from\nv2.9.13 to [v2.9.14](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.9.14).\n\nlibxml2 v2.9.14 addresses [CVE-2022-29824](https://nvd.nist.gov/vuln/detail/CVE-2022-29824).\nThis version also includes several security-related bug fixes for which CVEs were not created,\nincluding a potential double-free, potential memory leaks, and integer-overflow.\n\nPlease note that this advisory only applies to the CRuby implementation of Nokogiri\n`< 1.13.5`, and only if the _packaged_ libraries are being used. If you've overridden\ndefaults at installation time to use _system_ libraries instead of packaged libraries,\nyou should instead pay attention to your distro's `libxml2` and `libxslt` release announcements.\n\n### Mitigation\n\nUpgrade to Nokogiri `>= 1.13.5`.\n\nUsers who are unable to upgrade Nokogiri may also choose a more complicated mitigation:\ncompile and link Nokogiri against external libraries libxml2 `>= 2.9.14` which will also\naddress these same issues.\n\n### Impact\n\n#### libxml2 [CVE-2022-29824](https://nvd.nist.gov/vuln/detail/CVE-2022-29824)\n\n- **CVSS3 score**:\n - Unspecified upstream\n - Nokogiri maintainers evaluate at 8.6 (High) ([CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H)) Note that this is different from the CVSS assessed by NVD.\n- **Type**: Denial of service, information disclosure\n- **Description**: In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software using libxml2's buffer functions, for example libxslt through 1.1.35, is affected as well.\n- **Fixed**: https://gitlab.gnome.org/GNOME/libxml2/-/commit/2554a24\n\nAll versions of libml2 prior to v2.9.14 are affected.\n\nApplications parsing or serializing multi-gigabyte documents (in excess of INT_MAX bytes) may be vulnerable to an integer overflow bug in buffer handling that could lead to exposure of confidential data, modification of unrelated data, or a segmentation fault resulting in a denial-of-service.\n\n\n### References\n\n- [libxml2 v2.9.14 release notes](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.9.14)\n- [CVE-2022-29824](https://nvd.nist.gov/vuln/detail/CVE-2022-29824)\n- [CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer](https://cwe.mitre.org/data/definitions/119.html)", "references": [ { "reference_url": "https://github.com/sparklemotion/nokogiri", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri" }, { "reference_url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-cgx6-hpwq-fhv5", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-cgx6-hpwq-fhv5" }, { "reference_url": "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.9.14", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.9.14" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29824", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29824" }, { "reference_url": "https://github.com/advisories/GHSA-cgx6-hpwq-fhv5", "reference_id": "GHSA-cgx6-hpwq-fhv5", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cgx6-hpwq-fhv5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/385433?format=api", "purl": "pkg:gem/nokogiri@1.13.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14st-5sfb-jfhk" }, { "vulnerability": "VCID-47qk-3n97-wfb7" }, { "vulnerability": "VCID-49ww-fg7b-zugq" }, { "vulnerability": "VCID-8ftz-ajmp-jba8" }, { "vulnerability": "VCID-bfux-puuz-p3fb" }, { "vulnerability": "VCID-dbue-58uu-ybaz" }, { "vulnerability": "VCID-df5z-dpbb-r7cv" }, { "vulnerability": "VCID-g8h5-nbxj-y7fe" }, { "vulnerability": "VCID-gbwe-1wq8-83bf" }, { "vulnerability": "VCID-m2bp-rxcw-myg9" }, { "vulnerability": "VCID-tntw-mt23-k7gh" }, { "vulnerability": "VCID-umph-eaje-7khu" }, { "vulnerability": "VCID-vfgg-89r3-aueu" }, { "vulnerability": "VCID-w48v-grqb-u3gz" }, { "vulnerability": "VCID-w7rs-2k33-huft" }, { "vulnerability": "VCID-xsrn-bd5u-2ufz" }, { "vulnerability": "VCID-z2bq-warv-47c1" }, { "vulnerability": "VCID-zyww-4npa-gkeq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.13.5" } ], "aliases": [ "GHSA-cgx6-hpwq-fhv5", "GMS-2022-1438" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zntu-4vu6-rkbt" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/211455?format=api", "vulnerability_id": "VCID-zyww-4npa-gkeq", "summary": "Update bundled libxml2 to v2.10.3 to resolve multiple CVEs", "references": [ { "reference_url": "https://github.com/sparklemotion/nokogiri", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri" }, { "reference_url": "https://github.com/advisories/GHSA-2qc6-mcvw-92cw", "reference_id": "GHSA-2qc6-mcvw-92cw", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2qc6-mcvw-92cw" }, { "reference_url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-2qc6-mcvw-92cw", "reference_id": "GHSA-2qc6-mcvw-92cw", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-2qc6-mcvw-92cw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/27390?format=api", "purl": "pkg:gem/nokogiri@1.13.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-14st-5sfb-jfhk" }, { "vulnerability": "VCID-47qk-3n97-wfb7" }, { "vulnerability": "VCID-8ftz-ajmp-jba8" }, { "vulnerability": "VCID-bfux-puuz-p3fb" }, { "vulnerability": "VCID-df5z-dpbb-r7cv" }, { "vulnerability": "VCID-gbwe-1wq8-83bf" }, { "vulnerability": "VCID-m2bp-rxcw-myg9" }, { "vulnerability": "VCID-tntw-mt23-k7gh" }, { "vulnerability": "VCID-umph-eaje-7khu" }, { "vulnerability": "VCID-vfgg-89r3-aueu" }, { "vulnerability": "VCID-w48v-grqb-u3gz" }, { "vulnerability": "VCID-w7rs-2k33-huft" }, { "vulnerability": "VCID-xsrn-bd5u-2ufz" }, { "vulnerability": "VCID-z2bq-warv-47c1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.13.9" } ], "aliases": [ "GHSA-2qc6-mcvw-92cw", "GMS-2022-5550" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zyww-4npa-gkeq" } ], "fixing_vulnerabilities": [], "risk_score": "4.5", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.13.0" }