CVE-2022-23476
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Nokogiri is an open source XML and HTML library for the Ruby programming language. Nokogiri 1.13.8 and 1.13.9 fail to check the return value from xmlTextReaderExpand in the method Nokogiri::XML::Reader#attribute_hash. This can lead to a null pointer exception when invalid markup is being parsed. For applications using XML::Reader to parse untrusted inputs, this may potentially be a vector for a denial of service attack. Users are advised to upgrade to Nokogiri >= 1.13.10. Users may be able to search their code for calls to either XML::Reader#attributes or XML::Reader#attribute_hash to determine if they are affected.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| sparklemotion | nokogiri | >= 1.13.8, < 1.13.10 | affected |
Weaknesses
- CWE-252: CWE-252: Unchecked Return Value
- CWE-476: CWE-476: NULL Pointer Dereference
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-qv4q-mr5r-qprj
- https://github.com/sparklemotion/nokogiri/commit/85410e38410f670cbbc8c5b00d07b843caee88ce
- https://github.com/sparklemotion/nokogiri/commit/9fe0761c47c0d4270d1a5220cfd25de080350d50
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
- https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-qv4q-mr5r-qprj
- https://github.com/sparklemotion/nokogiri/commit/85410e38410f670cbbc8c5b00d07b843caee88ce
- https://github.com/sparklemotion/nokogiri/commit/9fe0761c47c0d4270d1a5220cfd25de080350d50
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.