===================================================================== CERT-Renater Note d'Information No. 2021/VULN109 ____________________________________________________________________ DATE : 07/03/2022 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S) : Systems running Nokogiri versions prior to 1.13.2. ===================================================================== https://github.com/advisories/GHSA-fq42-c5rg-92c2 _____________________________________________________________________ Vulnerable dependencies in Nokogiri High severity GitHub Reviewed Vulnerability details Package nokogiri (RubyGems) Affected versions < 1.13.2 Patched versions 1.13.2 Description Summary Nokogiri v1.13.2 upgrades two of its packaged dependencies: vendored libxml2 from v2.9.12 to v2.9.13 vendored libxslt from v1.1.34 to v1.1.35 Those library versions address the following upstream CVEs: libxslt: CVE-2021-30560 (CVSS 8.8, High severity) libxml2: CVE-2022-23308 (Unspecified severity, see more information below) Those library versions also address numerous other issues including performance improvements, regression fixes, and bug fixes, as well as memory leaks and other use-after-free issues that were not assigned CVEs. Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.13.2, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 and libxslt release announcements. Mitigation Upgrade to Nokogiri >= 1.13.2. Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link an older version Nokogiri against external libraries libxml2 >= 2.9.13 and libxslt >= 1.1.35, which will also address these same CVEs. Impact libxslt CVE-2021-30560 CVSS3 score: 8.8 (High) Fixed by https://gitlab.gnome.org/GNOME/libxslt/-/commit/50f9c9c All versions of libxslt prior to v1.1.35 are affected. Applications using untrusted XSL stylesheets to transform XML are vulnerable to a denial-of-service attack and should be upgraded immediately. libxml2 CVE-2022-23308 As of the time this security advisory was published, there is no officially published information available about this CVE's severity. The above NIST link does not yet have a published record, and the libxml2 maintainer has declined to provide a severity score. Fixed by https://gitlab.gnome.org/GNOME/libxml2/-/commit/652dd12 Further explanation is at https://mail.gnome.org/archives/xml/2022-February/msg00015.html The upstream commit and the explanation linked above indicate that an application may be vulnerable to a denial of service, memory disclosure, or code execution if it parses an untrusted document with parse options DTDVALID set to true, and NOENT set to false. An analysis of these parse options: While NOENT is off by default for Document, DocumentFragment, Reader, and Schema parsing, it is on by default for XSLT (stylesheet) parsing in Nokogiri v1.12.0 and later. DTDVALID is an option that Nokogiri does not set for any operations, and so this CVE applies only to applications setting this option explicitly. It seems reasonable to assume that any application explicitly setting the parse option DTDVALID when parsing untrusted documents is vulnerable and should be upgraded immediately. References GHSA-fq42-c5rg-92c2 @flavorjones flavorjones published the maintainer security advisory CVE ID No known CVE GHSA ID GHSA-fq42-c5rg-92c2 CWEs CWE-416 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================