Search for vulnerabilities
Vulnerability details: VCID-yjtd-j2xx-73hm
Vulnerability ID VCID-yjtd-j2xx-73hm
Aliases CVE-2019-13117
GHSA-4hm9-844j-jmxp
Summary Nokogiri gem, via libxslt, is affected by multiple vulnerabilities Nokogiri v1.10.5 has been released. This is a security release. It addresses three CVEs in upstream libxml2, for which details are below. If you're using your distro's system libraries, rather than Nokogiri's vendored libraries, there's no security need to upgrade at this time, though you may want to check with your distro whether they've patched this (Canonical has patched Ubuntu packages). Note that libxslt 1.1.34 addresses these vulnerabilities. Full details about the security update are available in Github Issue [#1943] https://github.com/sparklemotion/nokogiri/issues/1943. --- CVE-2019-13117 https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13117.html Priority: Low Description: In numbers.c in libxslt 1.1.33, an xsl:number with certain format strings could lead to a uninitialized read in xsltNumberFormatInsertNumbers. This could allow an attacker to discern whether a byte on the stack contains the characters A, a, I, i, or 0, or any other character. Patched with commit https://gitlab.gnome.org/GNOME/libxslt/commit/c5eb6cf3aba0af048596106ed839b4ae17ecbcb1 --- CVE-2019-13118 https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13118.html Priority: Low Description: In numbers.c in libxslt 1.1.33, a type holding grouping characters of an xsl:number instruction was too narrow and an invalid character/length combination could be passed to xsltNumberFormatDecimal, leading to a read of uninitialized stack data Patched with commit https://gitlab.gnome.org/GNOME/libxslt/commit/6ce8de69330783977dd14f6569419489875fb71b --- CVE-2019-18197 https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-18197.html Priority: Medium Description: In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclosed. Patched with commit https://gitlab.gnome.org/GNOME/libxslt/commit/2232473733b7313d67de8836ea3b29eec6e8e285
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-908 Use of Uninitialized Resource
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-134 Use of Externally-Controlled Format String
System Score Found at
generic_textual HIGH http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00062.html
cvssv3 5.3 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-13117.json
epss 0.00685 https://api.first.org/data/v1/epss?cve=CVE-2019-13117
epss 0.00685 https://api.first.org/data/v1/epss?cve=CVE-2019-13117
epss 0.00685 https://api.first.org/data/v1/epss?cve=CVE-2019-13117
epss 0.03929 https://api.first.org/data/v1/epss?cve=CVE-2019-13117
epss 0.03929 https://api.first.org/data/v1/epss?cve=CVE-2019-13117
epss 0.03929 https://api.first.org/data/v1/epss?cve=CVE-2019-13117
epss 0.03929 https://api.first.org/data/v1/epss?cve=CVE-2019-13117
epss 0.03929 https://api.first.org/data/v1/epss?cve=CVE-2019-13117
epss 0.03929 https://api.first.org/data/v1/epss?cve=CVE-2019-13117
epss 0.03929 https://api.first.org/data/v1/epss?cve=CVE-2019-13117
epss 0.03929 https://api.first.org/data/v1/epss?cve=CVE-2019-13117
epss 0.03929 https://api.first.org/data/v1/epss?cve=CVE-2019-13117
epss 0.03929 https://api.first.org/data/v1/epss?cve=CVE-2019-13117
epss 0.03929 https://api.first.org/data/v1/epss?cve=CVE-2019-13117
epss 0.03929 https://api.first.org/data/v1/epss?cve=CVE-2019-13117
epss 0.03929 https://api.first.org/data/v1/epss?cve=CVE-2019-13117
generic_textual HIGH https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14471
cvssv3.1 4.3 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-4hm9-844j-jmxp
generic_textual HIGH https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2019-13117.yml
generic_textual HIGH https://github.com/sparklemotion/nokogiri/issues/1943
generic_textual HIGH https://gitlab.gnome.org/GNOME/libxslt/commit/c5eb6cf3aba0af048596106ed839b4ae17ecbcb1
generic_textual HIGH https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E
generic_textual HIGH https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E
generic_textual HIGH https://lists.debian.org/debian-lts-announce/2019/07/msg00020.html
generic_textual HIGH https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IOYJKXPQCUNBMMQJWYXOR6QRUJZHEDRZ
cvssv2 5.0 https://nvd.nist.gov/vuln/detail/CVE-2019-13117
cvssv3.1 5.3 https://nvd.nist.gov/vuln/detail/CVE-2019-13117
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2019-13117
generic_textual HIGH https://oss-fuzz.com/testcase-detail/5631739747106816
generic_textual HIGH https://security.netapp.com/advisory/ntap-20190806-0004
generic_textual HIGH https://security.netapp.com/advisory/ntap-20200122-0003
generic_textual HIGH https://usn.ubuntu.com/4164-1
generic_textual HIGH https://www.oracle.com/security-alerts/cpujan2020.html
generic_textual HIGH http://www.openwall.com/lists/oss-security/2019/11/17/2
Reference id Reference type URL
http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00062.html
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-13117.json
https://api.first.org/data/v1/epss?cve=CVE-2019-13117
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14471
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13117
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2019-13117.yml
https://github.com/sparklemotion/nokogiri/issues/1943
https://gitlab.gnome.org/GNOME/libxslt/commit/c5eb6cf3aba0af048596106ed839b4ae17ecbcb1
https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E
https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E
https://lists.debian.org/debian-lts-announce/2019/07/msg00020.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IOYJKXPQCUNBMMQJWYXOR6QRUJZHEDRZ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IOYJKXPQCUNBMMQJWYXOR6QRUJZHEDRZ
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IOYJKXPQCUNBMMQJWYXOR6QRUJZHEDRZ/
https://nvd.nist.gov/vuln/detail/CVE-2019-13117
https://oss-fuzz.com/testcase-detail/5631739747106816
https://security.netapp.com/advisory/ntap-20190806-0004
https://security.netapp.com/advisory/ntap-20190806-0004/
https://security.netapp.com/advisory/ntap-20200122-0003
https://usn.ubuntu.com/4164-1
https://www.oracle.com/security-alerts/cpujan2020.html
http://www.openwall.com/lists/oss-security/2019/11/17/2
1728546 https://bugzilla.redhat.com/show_bug.cgi?id=1728546
931321 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931321
cpe:2.3:a:oracle:openjdk:8:update231:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:oracle:openjdk:8:update231:*:*:*:*:*:*
cpe:2.3:a:xmlsoft:libxslt:1.1.33:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:xmlsoft:libxslt:1.1.33:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
GHSA-4hm9-844j-jmxp https://github.com/advisories/GHSA-4hm9-844j-jmxp
USN-4164-1 https://usn.ubuntu.com/4164-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-13117.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2019-13117
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2019-13117
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.709
EPSS Score 0.00685
Published At Aug. 1, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T08:04:55.492616+00:00 Ruby Importer Import https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2019-13117.yml 37.0.0