Ruby/nokogiri/1.13.9
Nokogiri (鋸) makes it easy and painless to work with XML and HTML from Ruby. It provides a sensible, easy-to-understand API for reading, writing, modifying, and querying documents. It is fast and standards-compliant by relying on native parsers like libxml2, libgumbo, or xerces.
https://rubygems.org/gems/nokogiri
MIT
5 Security Vulnerabilities
Unchecked return value from xmlTextReaderExpand
- https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-qv4q-mr5r-qprj
- https://github.com/sparklemotion/nokogiri/commit/85410e38410f670cbbc8c5b00d07b843caee88ce
- https://github.com/sparklemotion/nokogiri/commit/9fe0761c47c0d4270d1a5220cfd25de080350d50
- https://github.com/advisories/GHSA-qv4q-mr5r-qprj
- https://nvd.nist.gov/vuln/detail/CVE-2022-23476
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2022-23476.yml
Summary
Nokogiri 1.13.8, 1.13.9
fails to check the return value from xmlTextReaderExpand
in the method Nokogiri::XML::Reader#attribute_hash
. This can lead to a null pointer exception when invalid markup is being parsed.
For applications using XML::Reader
to parse untrusted inputs, this may potentially be a vector for a denial of service attack.
Mitigation
Upgrade to Nokogiri >= 1.13.10
.
Users may be able to search their code for calls to either XML::Reader#attributes
or XML::Reader#attribute_hash
to determine if they are affected.
Severity
The Nokogiri maintainers have evaluated this as High Severity 7.5 (CVSS3.1).
References
Credit
This vulnerability was responsibly reported by @davidwilemski.
Use-after-free in libxml2 via Nokogiri::XML::Reader
Summary
Nokogiri upgrades its dependency libxml2 as follows: - v1.15.6 upgrades libxml2 to 2.11.7 from 2.11.6 - v1.16.2 upgrades libxml2 to 2.12.5 from 2.12.4
libxml2 v2.11.7 and v2.12.5 address the following vulnerability:
CVE-2024-25062 / https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25062 - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/604 - patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970
Please note that this advisory only applies to the CRuby implementation of Nokogiri, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 release announcements.
JRuby users are not affected.
Severity
The Nokogiri maintainers have evaluated this as Moderate.
Impact
From the CVE description, this issue applies to the xmlTextReader
module (which underlies
Nokogiri::XML::Reader
):
When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.
Mitigation
Upgrade to Nokogiri ~> 1.15.6
or >= 1.16.2
.
Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against patched external libxml2 libraries which will also address these same issues.
Unchecked return value from xmlTextReaderExpand
Summary
Nokogiri 1.13.8, 1.13.9
fails to check the return value from xmlTextReaderExpand
in the method Nokogiri::XML::Reader#attribute_hash
. This can lead to a null pointer exception when invalid markup is being parsed.
For applications using XML::Reader
to parse untrusted inputs, this may potentially be a vector for a denial of service attack.
Mitigation
Upgrade to Nokogiri >= 1.13.10
.
Users may be able to search their code for calls to either XML::Reader#attributes
or XML::Reader#attribute_hash
to determine if they are affected.
Severity
The Nokogiri maintainers have evaluated this as High Severity 7.5 (CVSS3.1).
References
Credit
This vulnerability was responsibly reported by @davidwilemski.
Update packaged libxml2 to v2.10.4 to resolve multiple CVEs
Summary
Nokogiri v1.14.3 upgrades the packaged version of its dependency libxml2 to v2.10.4 from v2.10.3.
libxml2 v2.10.4 addresses the following known vulnerabilities:
- CVE-2023-29469: Hashing of empty dict strings isn't deterministic
- CVE-2023-28484: Fix null deref in xmlSchemaFixupComplexType
- Schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK
Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.14.3
,
and only if the packaged libraries are being used. If you've overridden defaults at installation
time to use system libraries instead of packaged libraries, you should instead pay attention to
your distro's libxml2
release announcements.
Mitigation
Upgrade to Nokogiri >= 1.14.3
.
Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile
and link Nokogiri against external libraries libxml2 >= 2.10.4
which will also address these
same issues.
Impact
No public information has yet been published about the security-related issues other than the upstream commits. Examination of those changesets indicate that the more serious issues relate to libxml2 dereferencing NULL pointers and potentially segfaulting while parsing untrusted inputs.
The commits can be examined at:
- [CVE-2023-29469] Hashing of empty dict strings isn't deterministic (09a2dd45)
- [CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType (647e072e)
- schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK (4c6922f7)
Use-after-free in libxml2 via Nokogiri::XML::Reader
Summary
Nokogiri upgrades its dependency libxml2 as follows: - v1.15.6 upgrades libxml2 to 2.11.7 from 2.11.6 - v1.16.2 upgrades libxml2 to 2.12.5 from 2.12.4
libxml2 v2.11.7 and v2.12.5 address the following vulnerability:
CVE-2024-25062 / https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25062 - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/604 - patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970
Please note that this advisory only applies to the CRuby implementation of Nokogiri, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 release announcements.
JRuby users are not affected.
Severity
The Nokogiri maintainers have evaluated this as Moderate.
Impact
From the CVE description, this issue applies to the xmlTextReader
module (which underlies
Nokogiri::XML::Reader
):
When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.
Mitigation
Upgrade to Nokogiri ~> 1.15.6
or >= 1.16.2
.
Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against patched external libxml2 libraries which will also address these same issues.
170 Other Versions
Version | License | Security | Released | |
---|---|---|---|---|
1.16.4 | MIT | 2024-04-10 - 18:17 | about 1 month | |
1.16.3 | MIT | 2024-03-15 - 21:21 | about 2 months | |
1.16.2 | MIT | 2024-02-04 - 16:52 | 3 months | |
1.16.1 | MIT | 2 | 2024-02-03 - 16:27 | 3 months |
1.16.0 | MIT | 2 | 2023-12-28 - 00:08 | 5 months |
1.16.0.rc1 | MIT | 1 | 2023-12-13 - 22:00 | 5 months |
1.15.6 | MIT | 2024-03-16 - 13:14 | about 2 months | |
1.15.5 | MIT | 1 | 2023-11-17 - 16:13 | 6 months |
1.15.4 | MIT | 1 | 2023-08-11 - 19:25 | 9 months |
1.15.3 | MIT | 1 | 2023-07-05 - 14:34 | 10 months |
1.15.2 | MIT | 1 | 2023-05-24 - 13:31 | 12 months |
1.15.1 | MIT | 1 | 2023-05-19 - 14:06 | 12 months |
1.15.0 | MIT | 1 | 2023-05-15 - 19:57 | 12 months |
1.14.5 | MIT | 2 | 2023-05-24 - 13:04 | 12 months |
1.14.4 | MIT | 2 | 2023-05-11 - 18:12 | almost 1 year |
1.14.3 | MIT | 2 | 2023-04-11 - 17:00 | about 1 year |
1.14.2 | MIT | 3 | 2023-02-13 - 17:41 | about 1 year |
1.14.1 | MIT | 3 | 2023-01-30 - 19:40 | over 1 year |
1.14.0 | MIT | 3 | 2023-01-12 - 21:52 | over 1 year |
1.14.0.rc1 | MIT | 3 | 2022-12-29 - 15:47 | over 1 year |
1.13.10 | MIT | 3 | 2022-12-08 - 02:47 | over 1 year |
1.13.9 | MIT | 5 | 2022-10-18 - 15:48 | over 1 year |
1.13.8 | MIT | 6 | 2022-07-23 - 15:50 | almost 2 years |
1.13.7 | MIT | 4 | 2022-07-12 - 14:56 | almost 2 years |
1.13.6 | MIT | 4 | 2022-05-08 - 14:34 | about 2 years |
1.13.5 | MIT | 6 | 2022-05-04 - 20:41 | about 2 years |
1.13.4 | MIT | 7 | 2022-04-11 - 20:44 | about 2 years |
1.13.3 | MIT | 16 | 2022-02-22 - 04:52 | about 2 years |
1.13.2 | MIT | 16 | 2022-02-21 - 18:52 | about 2 years |
1.13.1 | MIT | 19 | 2022-01-13 - 16:04 | over 2 years |
1.13.0 | MIT | 19 | 2022-01-06 - 20:53 | over 2 years |
1.12.5 | MIT | 19 | 2021-09-27 - 19:03 | over 2 years |
1.12.4 | MIT | 21 | 2021-08-29 - 21:18 | over 2 years |
1.12.3 | MIT | 21 | 2021-08-10 - 19:32 | over 2 years |
1.12.2 | MIT | 21 | 2021-08-04 - 15:03 | almost 3 years |
1.12.1 | MIT | 21 | 2021-08-03 - 15:11 | almost 3 years |
1.12.0 | MIT | 21 | 2021-08-02 - 17:34 | almost 3 years |
1.12.0.rc1 | MIT | 21 | 2021-07-09 - 20:00 | almost 3 years |
1.11.7 | MIT | 21 | 2021-06-03 - 00:31 | almost 3 years |
1.11.6 | MIT | 21 | 2021-05-26 - 13:16 | almost 3 years |
1.11.5 | MIT | 21 | 2021-05-20 - 03:08 | almost 3 years |
1.11.4 | MIT | 21 | 2021-05-14 - 23:30 | almost 3 years |
1.11.3 | MIT | 28 | 2021-04-07 - 20:33 | about 3 years |
1.11.2 | MIT | 28 | 2021-03-11 - 15:56 | about 3 years |
1.11.1 | MIT | 28 | 2021-01-06 - 05:30 | over 3 years |
1.11.0 | MIT | 28 | 2021-01-04 - 04:20 | over 3 years |
1.11.0.rc4 | MIT | 28 | 2020-12-29 - 16:44 | over 3 years |
1.11.0.rc3 | MIT | 29 | 2020-09-08 - 13:26 | over 3 years |
1.11.0.rc2 | MIT | 29 | 2020-04-01 - 19:18 | about 4 years |
1.11.0.rc1 | MIT | 29 | 2020-02-03 - 13:54 | over 4 years |
1.10.10 | MIT | 30 | 2020-07-06 - 13:40 | almost 4 years |
1.10.9 | MIT | 30 | 2020-03-01 - 19:05 | about 4 years |
1.10.8 | MIT | 30 | 2020-02-10 - 19:44 | about 4 years |
1.10.7 | MIT | 32 | 2019-12-04 - 15:29 | over 4 years |
1.10.6 | MIT | 32 | 2019-12-04 - 00:44 | over 4 years |
1.10.5 | MIT | 32 | 2019-10-31 - 19:29 | over 4 years |
1.10.4 | MIT | 40 | 2019-08-11 - 19:25 | over 4 years |
1.10.3 | MIT | 42 | 2019-04-22 - 17:10 | about 5 years |
1.10.2 | MIT | 44 | 2019-03-25 - 13:03 | about 5 years |
1.10.1 | MIT | 44 | 2019-01-13 - 06:30 | over 5 years |
1.10.0 | MIT | 44 | 2019-01-04 - 15:35 | over 5 years |
1.10.0.rc1 | MIT | 44 | 2019-01-03 - 15:05 | over 5 years |
1.9.1 | MIT | 44 | 2018-12-18 - 05:22 | over 5 years |
1.9.0 | MIT | 44 | 2018-12-17 - 15:21 | over 5 years |
1.9.0.rc1 | MIT | 44 | 2018-12-10 - 06:10 | over 5 years |
1.8.5 | MIT | 44 | 2018-10-05 - 01:14 | over 5 years |
1.8.4 | MIT | 46 | 2018-07-04 - 00:37 | almost 6 years |
1.8.3 | MIT | 46 | 2018-06-16 - 20:04 | almost 6 years |
1.8.2 | MIT | 48 | 2018-01-29 - 13:16 | over 6 years |
1.8.1 | MIT | 52 | 2017-09-19 - 16:12 | over 6 years |
1.8.0 | MIT | 56 | 2017-06-05 - 04:04 | almost 7 years |
1.7.2 | MIT | 56 | 2017-05-09 - 21:29 | about 7 years |
1.7.1 | MIT | 58 | 2017-03-20 - 03:39 | about 7 years |
1.7.0.1 | MIT | 60 | 2017-01-04 - 05:42 | over 7 years |
1.7.0 | MIT | 60 | 2016-12-27 - 03:49 | over 7 years |
1.6.8.1 | MIT | 60 | 2016-10-03 - 04:46 | over 7 years |
1.6.8 | MIT | 60 | 2016-06-07 - 00:04 | almost 8 years |
1.6.8.rc3 | MIT | 62 | 2016-02-17 - 06:33 | about 8 years |
1.6.8.rc2 | MIT | 62 | 2016-01-12 - 17:08 | over 8 years |
1.6.8.rc1 | MIT | 62 | 2015-12-17 - 07:28 | over 8 years |
1.6.7.2 | MIT | 62 | 2016-01-20 - 19:18 | over 8 years |
1.6.7.1 | MIT | 64 | 2015-12-17 - 05:08 | over 8 years |
1.6.7 | MIT | 66 | 2015-11-30 - 04:21 | over 8 years |
1.6.7.rc4 | MIT | 66 | 2015-11-22 - 22:56 | over 8 years |
1.6.7.rc3 | MIT | 67 | 2015-09-04 - 17:34 | over 8 years |
1.6.7.rc2 | MIT | 67 | 2015-08-31 - 13:51 | over 8 years |
1.6.6.4 | MIT | 66 | 2015-11-19 - 20:58 | over 8 years |
1.6.6.3 | MIT | 67 | 2015-11-17 - 00:02 | over 8 years |
1.6.6.2 | MIT | 67 | 2015-01-23 - 18:53 | over 9 years |
1.6.6.1 | MIT | 67 | 2015-01-22 - 18:42 | over 9 years |
1.6.5 | MIT | 67 | 2014-11-26 - 21:07 | over 9 years |
1.6.4.1 | MIT | 67 | 2014-11-07 - 03:03 | over 9 years |
1.6.4 | MIT | 67 | 2014-11-05 - 04:32 | over 9 years |
1.6.3.1 | MIT | 67 | 2014-07-22 - 01:35 | almost 10 years |
1.6.3 | MIT | 67 | 2014-07-20 - 18:57 | almost 10 years |
1.6.3.rc3 | MIT | 68 | 2014-06-21 - 20:31 | almost 10 years |
1.6.3.rc2 | MIT | 68 | 2014-06-17 - 17:04 | almost 10 years |
1.6.3.rc1 | MIT | 68 | 2014-05-22 - 19:23 | almost 10 years |
1.6.2.1 | MIT | 67 | 2014-05-14 - 01:21 | almost 10 years |
1.6.2 | MIT | 68 | 2014-05-12 - 22:31 | almost 10 years |