Bug 2088684 (CVE-2022-29181) - CVE-2022-29181 rubygem-nokogiri: Improper Handling of Unexpected Data Type in Nokogiri
Summary: CVE-2022-29181 rubygem-nokogiri: Improper Handling of Unexpected Data Type in...
Keywords:
Status: NEW
Alias: CVE-2022-29181
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2088685 2088686 2089222 2089223
Blocks: 2088687
TreeView+ depends on / blocked
 
Reported: 2022-05-20 05:19 UTC by Avinash Hanwate
Modified: 2023-07-31 12:36 UTC (History)
26 users (show)

Fixed In Version: rubygem-nokogiri 1.13.6
Doc Type: ---
Doc Text:
A flaw was found in the rubygem-nokogiri package. This flaw allows malicious users to change partial contents or configurations on the system. Additionally, this vulnerability can also cause a limited denial of service in the form of interruptions in resource availability.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description Avinash Hanwate 2022-05-20 05:19:05 UTC
Nokogiri < v1.13.6 does not type-check all inputs into the XML and HTML4 SAX parsers. For CRuby users, this may allow specially crafted untrusted inputs to cause illegal memory access errors (segfault) or reads from unrelated memory.

https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xh29-r2w5-wx8m

Comment 1 Avinash Hanwate 2022-05-20 05:19:35 UTC
Created rubygem-nokogiri tracking bugs for this issue:

Affects: epel-all [bug 2088685]
Affects: fedora-all [bug 2088686]


Note You need to log in before you can comment on or make changes to this bug.