GLSA-202208-29 : Nokogiri: Multiple Vulnerabilities

high Nessus Plugin ID 164110

Description

The remote host is affected by the vulnerability described in GLSA-202208-29 (Nokogiri: Multiple Vulnerabilities)

- Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible. This is fixed in Nokogiri version 1.11.0.rc4. (CVE-2020-26247)

- Nokogiri is an open source XML and HTML library for Ruby. Nokogiri `< v1.13.4` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Users are advised to upgrade to Nokogiri `>= 1.13.4`. There are no known workarounds for this issue. (CVE-2022-24836)

- Nokogiri is an open source XML and HTML library for Ruby. Nokogiri prior to version 1.13.6 does not type- check all inputs into the XML and HTML4 SAX parsers, allowing specially crafted untrusted inputs to cause illegal memory access errors (segfault) or reads from unrelated memory. Version 1.13.6 contains a patch for this issue. As a workaround, ensure the untrusted input is a `String` by calling `#to_s` or equivalent. (CVE-2022-29181)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

All Nokogiri users should upgrade to the latest version:

# emerge --sync # emerge --ask --oneshot --verbose >=dev-ruby/nokogiri-1.13.6

See Also

https://security.gentoo.org/glsa/202208-29

https://bugs.gentoo.org/show_bug.cgi?id=762685

https://bugs.gentoo.org/show_bug.cgi?id=837902

https://bugs.gentoo.org/show_bug.cgi?id=846623

Plugin Details

Severity: High

ID: 164110

File Name: gentoo_GLSA-202208-29.nasl

Version: 1.3

Type: local

Published: 8/15/2022

Updated: 10/16/2023

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.0

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P

CVSS Score Source: CVE-2022-29181

CVSS v3

Risk Factor: High

Base Score: 8.2

Temporal Score: 7.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:gentoo:linux:nokogiri, cpe:/o:gentoo:linux

Required KB Items: Host/local_checks_enabled, Host/Gentoo/release, Host/Gentoo/qpkg-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 8/14/2022

Vulnerability Publication Date: 12/30/2020

Reference Information

CVE: CVE-2020-26247, CVE-2022-24836, CVE-2022-29181