Nokogiri is an open source XML and HTML library for the Ruby programming language. Nokogiri `1.13.8` and `1.13.9` fail to check the return value from `xmlTextReaderExpand` in the method `Nokogiri::XML::Reader#attribute_hash`. This can lead to a null pointer exception when invalid markup is being parsed. For applications using `XML::Reader` to parse untrusted inputs, this may potentially be a vector for a denial of service attack. Users are advised to upgrade to Nokogiri `>= 1.13.10`. Users may be able to search their code for calls to either `XML::Reader#attributes` or `XML::Reader#attribute_hash` to determine if they are affected.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - Nokogiri is an open source XML and HTML library for the Ruby programming language. Nokogiri `1.13.8` and     `1.13.9` fail to check the return value from `xmlTextReaderExpand` in the method     `Nokogiri::XML::Reader#attribute_hash`. This can lead to a null pointer exception when invalid markup is     being parsed. For applications using `XML::Reader` to parse untrusted inputs, this may potentially be a     vector for a denial of service attack. Users are advised to upgrade to Nokogiri `>= 1.13.10`. Users may be     able to search their code for calls to either `XML::Reader#attributes` or `XML::Reader#attribute_hash` to     determine if they are affected. (CVE-2022-23476)

Note that Nessus relies on the presence of the package as reported by the vendor.

An update of the rubygem package has been released.

The remote Fedora 37 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2022-b5c325caad advisory.

    A potential bug was found on nokogiri on or before 1.13.9 overlooked some return values from functions     used internally. This can lead to raise some illegal exception. This bug was assigned as CVE-2022-23476.
    This new rpm should fix this issue.

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-202408-13 (Nokogiri: Denial of Service)

    A denial of service vulnerability has been discovered in Nokogiri. Please review the CVE identifier     referenced below for details.

Tenable has extracted the preceding description block directly from the Gentoo Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 36 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2022-acff3f54b2 advisory.

    A potential bug was found on nokogiri on or before 1.13.9 overlooked some return values from functions     used internally. This can lead to raise some illegal exception. This bug was assigned as CVE-2022-23476.
    This new rpm should fix this issue.

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
248001	Linux Distros Unpatched Vulnerability : CVE-2022-23476	Nessus	Misc.	high
213449	Photon OS 5.0: Rubygem PHSA-2024-5.0-0432	Nessus	PhotonOS Local Security Checks	high
211161	Fedora 37 : rubygem-nokogiri (2022-b5c325caad)	Nessus	Fedora Local Security Checks	high
205157	GLSA-202408-13 : Nokogiri: Denial of Service	Nessus	Gentoo Local Security Checks	high
169080	Fedora 36 : rubygem-nokogiri (2022-acff3f54b2)	Nessus	Fedora Local Security Checks	high

Detections

Analytics

CVE-2022-23476

high

Tenable Plugins

high

high

high

high

high