Headline
Gentoo Linux Security Advisory 202408-13
Gentoo Linux Security Advisory 202408-13 - A vulnerability has been discovered in Nokogiri, which can lead to a denial of service. Versions greater than or equal to 1.13.10 are affected.
Gentoo Linux Security Advisory GLSA 202408-13
https://security.gentoo.org/
Severity: Normal
Title: Nokogiri: Denial of Service
Date: August 07, 2024
Bugs: #884863
ID: 202408-13
Synopsis
A vulnerability has been discovered in Nokogiri, which can lead to a
denial of service.
Background
Nokogiri is an HTML, XML, SAX, and Reader parser.
Affected packages
Package Vulnerable Unaffected
dev-ruby/nokogiri < 1.13.10 >= 1.13.10
Description
A denial of service vulnerability has been discovered in Nokogiri.
Please review the CVE identifier referenced below for details.
Impact
Nokogiri fails to check the return value from xmlTextReaderExpand
in
the method Nokogiri::XML::Reader#attribute_hash
. This can lead to a
null pointer exception when invalid markup is being parsed. For
applications using XML::Reader
to parse untrusted inputs, this may
potentially be a vector for a denial of service attack.
Workaround
Users may be able to search their code for calls to either
XML::Reader#attributes
or XML::Reader#attribute_hash
to determine if
they are affected.
Resolution
All Nokogiri users should upgrade to the latest version:
emerge --sync
emerge --ask --oneshot --verbose “>=dev-ruby/nokogiri-1.13.10”
References
[ 1 ] CVE-2022-23476
https://nvd.nist.gov/vuln/detail/CVE-2022-23476
Availability
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/202408-13
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users’ machines is of utmost
importance to us. Any security concerns should be addressed to
[email protected] or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
Related news
Nokogiri is an open source XML and HTML library for the Ruby programming language. Nokogiri `1.13.8` and `1.13.9` fail to check the return value from `xmlTextReaderExpand` in the method `Nokogiri::XML::Reader#attribute_hash`. This can lead to a null pointer exception when invalid markup is being parsed. For applications using `XML::Reader` to parse untrusted inputs, this may potentially be a vector for a denial of service attack. Users are advised to upgrade to Nokogiri `>= 1.13.10`. Users may be able to search their code for calls to either `XML::Reader#attributes` or `XML::Reader#attribute_hash` to determine if they are affected.
## Summary Nokogiri `1.13.8, 1.13.9` fails to check the return value from `xmlTextReaderExpand` in the method `Nokogiri::XML::Reader#attribute_hash`. This can lead to a null pointer exception when invalid markup is being parsed. For applications using `XML::Reader` to parse untrusted inputs, this may potentially be a vector for a denial of service attack. ## Mitigation Upgrade to Nokogiri `>= 1.13.10`. Users may be able to search their code for calls to either `XML::Reader#attributes` or `XML::Reader#attribute_hash` to determine if they are affected. ## Severity The Nokogiri maintainers have evaluated this as [High Severity 7.5 (CVSS3.1)](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). ## References - [CWE - CWE-252: Unchecked Return Value (4.9)](https://cwe.mitre.org/data/definitions/252.html) - [CWE - CWE-476: NULL Pointer Dereference (4.9)](https://cwe.mitre.org/data/definitions/476.html) ## Credit This vulnerability was respo...