CVE-2022-23476Unchecked Return Value in Nokogiri

CWE-252Unchecked Return ValueCWE-476NULL Pointer Dereference6 documents5 sources
Severity
7.5HIGHNVD
EPSS
0.2%
top 52.63%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
NokogiriDebian Ruby-nokogiriSparklemotion Nokogiri
Timeline
PublishedDec 8

Description

Nokogiri is an open source XML and HTML library for the Ruby programming language. Nokogiri `1.13.8` and `1.13.9` fail to check the return value from `xmlTextReaderExpand` in the method `Nokogiri::XML::Reader#attribute_hash`. This can lead to a null pointer exception when invalid markup is being parsed. For applications using `XML::Reader` to parse untrusted inputs, this may potentially be a vector for a denial of service attack. Users are advised to upgrade to Nokogiri `>= 1.13.10`. Users may b

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

debiandebian/ruby-nokogiri< ruby-nokogiri 1.13.10+dfsg-1 (bookworm)
RubyGemsnokogiri/nokogiri1.13.81.13.10
NVDnokogiri/nokogiri1.13.8, 1.13.9+1
CVEListV5sparklemotion/nokogiri>= 1.13.8, < 1.13.10

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

3
GHSA
Unchecked return value from xmlTextReaderExpand2022-12-08
OSV
Unchecked return value from xmlTextReaderExpand2022-12-08
OSV
CVE-2022-23476: Nokogiri is an open source XML and HTML library for the Ruby programming language2022-12-08

📋Vendor Advisories

2
Red Hat
rubygem-nokogiri: Denial of service2022-12-08
Debian
CVE-2022-23476: ruby-nokogiri - Nokogiri is an open source XML and HTML library for the Ruby programming languag...2022