{"url":"http://public2.vulnerablecode.io/api/packages/426236?format=json","purl":"pkg:apk/alpine/ruby-nokogiri@1.13.10-r0?arch=riscv64&distroversion=v3.21&reponame=community","type":"apk","namespace":"alpine","name":"ruby-nokogiri","version":"1.13.10-r0","qualifiers":{"arch":"riscv64","distroversion":"v3.21","reponame":"community"},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":null,"latest_non_vulnerable_version":null,"affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/51495?format=json","vulnerability_id":"VCID-qhx2-j1jc-cyev","summary":"Unchecked return value from xmlTextReaderExpand\n## Summary\n\nNokogiri `1.13.8, 1.13.9` fails to check the return value from `xmlTextReaderExpand` in the method `Nokogiri::XML::Reader#attribute_hash`. This can lead to a null pointer exception when invalid markup is being parsed.\n\nFor applications using `XML::Reader` to parse untrusted inputs, this may potentially be a vector for a denial of service attack.\n\n\n## Mitigation\n\nUpgrade to Nokogiri `>= 1.13.10`.\n\nUsers may be able to search their code for calls to either `XML::Reader#attributes` or `XML::Reader#attribute_hash` to determine if they are affected.\n\n\n## Severity\n\nThe Nokogiri maintainers have evaluated this as [High Severity 7.5 (CVSS3.1)](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).\n\n\n## References\n\n- [CWE - CWE-252: Unchecked Return Value (4.9)](https://cwe.mitre.org/data/definitions/252.html)\n- [CWE - CWE-476: NULL Pointer Dereference (4.9)](https://cwe.mitre.org/data/definitions/476.html)\n\n\n## Credit\n\nThis vulnerability was responsibly reported by @davidwilemski.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23476.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23476.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-23476","reference_id":"","reference_type":"","scores":[{"value":"0.00271","scoring_system":"epss","scoring_elements":"0.50738","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00271","scoring_system":"epss","scoring_elements":"0.50722","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00271","scoring_system":"epss","scoring_elements":"0.50753","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00271","scoring_system":"epss","scoring_elements":"0.50772","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00271","scoring_system":"epss","scoring_elements":"0.50767","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00271","scoring_system":"epss","scoring_elements":"0.50706","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-23476"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2022-23476.yml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2022-23476.yml"},{"reference_url":"https://github.com/sparklemotion/nokogiri","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nokogiri"},{"reference_url":"https://github.com/sparklemotion/nokogiri/commit/85410e38410f670cbbc8c5b00d07b843caee88ce","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:48:08Z/"}],"url":"https://github.com/sparklemotion/nokogiri/commit/85410e38410f670cbbc8c5b00d07b843caee88ce"},{"reference_url":"https://github.com/sparklemotion/nokogiri/commit/9fe0761c47c0d4270d1a5220cfd25de080350d50","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:48:08Z/"}],"url":"https://github.com/sparklemotion/nokogiri/commit/9fe0761c47c0d4270d1a5220cfd25de080350d50"},{"reference_url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-qv4q-mr5r-qprj","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":""},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:48:08Z/"}],"url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-qv4q-mr5r-qprj"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23476","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23476"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2153279","reference_id":"2153279","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2153279"},{"reference_url":"https://github.com/advisories/GHSA-qv4q-mr5r-qprj","reference_id":"GHSA-qv4q-mr5r-qprj","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qv4q-mr5r-qprj"},{"reference_url":"https://security.gentoo.org/glsa/202408-13","reference_id":"GLSA-202408-13","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202408-13"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/426236?format=json","purl":"pkg:apk/alpine/ruby-nokogiri@1.13.10-r0?arch=riscv64&distroversion=v3.21&reponame=community","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/ruby-nokogiri@1.13.10-r0%3Farch=riscv64&distroversion=v3.21&reponame=community"}],"aliases":["CVE-2022-23476","GHSA-qv4q-mr5r-qprj"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qhx2-j1jc-cyev"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/ruby-nokogiri@1.13.10-r0%3Farch=riscv64&distroversion=v3.21&reponame=community"}