=================================================================== CERT-Renater Note d'Information No. 2022/VULN150 ______________________________________________________________________ DATE : 12/04/2022 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S) : Systems running Nokogiri versions prior to 1.13.4. ===================================================================== https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-gx8x-g87m-h5q6 https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v6gp-9mmm-c6p5 https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xxx9-3xcr-gjj3 _______________________________________________________________________ Denial of Service (DoS) in Nokogiri on JRuby High flavorjones published GHSA-gx8x-g87m-h5q6 Package nokogiri ( RubyGems ) Affected versions < 1.13.4 Patched versions 1.13.4 Description Summary Nokogiri v1.13.4 updates the vendored org.cyberneko.html library to 1.9.22.noko2 which addresses CVE-2022-24839. That CVE is rated 7.5 (High Severity). See GHSA-9849-p7jc-9rmv for more information. Please note that this advisory only applies to the JRuby implementation of Nokogiri < 1.13.4. Mitigation Upgrade to Nokogiri >= 1.13.4. Impact CVE-2022-24839 in nekohtml Severity: High 7.5 Type: CWE-400 Uncontrolled Resource Consumption Description: The fork of org.cyberneko.html used by Nokogiri (Rubygem) raises a java.lang.OutOfMemoryError exception when parsing ill-formed HTML markup. See also: GHSA-9849-p7jc-9rmv CVE ID No known CVE GHSA ID GHSA-gx8x-g87m-h5q6 CWEs CWE-400 _______________________________________________________________________ Update packaged zlib from 1.2.11 to 1.2.12 High flavorjones published GHSA-v6gp-9mmm-c6p5 Package nokogiri ( RubyGems ) Affected versions < 1.13.4 Patched versions 1.13.4 Description Summary Nokogiri v1.13.4 updates the vendored zlib from 1.2.11 to 1.2.12, which addresses CVE-2018-25032. That CVE is scored as CVSS 7.4 "High" on the NVD record as of 2022-04-05. Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.13.4, and only if the packaged version of zlib is being used. Please see this document for a complete description of which platform gems vendor zlib. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's zlib release announcements. Mitigation Upgrade to Nokogiri >= v1.13.4. Impact CVE-2018-25032 in zlib Severity: High Type: CWE-787 Out of bounds write Description: zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches. CVE ID No known CVE GHSA ID GHSA-v6gp-9mmm-c6p5 CWEs CWE-787 _______________________________________________________________________ Update packaged Xerces Java from 2.12.0 to 2.12.2 Moderate flavorjones published GHSA-xxx9-3xcr-gjj3 Package nokogiri ( RubyGems ) Affected versions < 1.13.4 Patched versions 1.13.4 Description Summary Nokogiri v1.13.4 updates the vendored xerces:xercesImpl from 2.12.0 to 2.12.2, which addresses CVE-2022-23437. That CVE is scored as CVSS 6.5 "Medium" on the NVD record. Please note that this advisory only applies to the JRuby implementation of Nokogiri < 1.13.4. Mitigation Upgrade to Nokogiri >= v1.13.4. Impact CVE-2022-23437 in xerces-J Severity: Medium Type: CWE-91 XML Injection (aka Blind XPath Injection) Description: There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions. See also: GHSA-h65f-jvqw-m9fj CVE ID No known CVE GHSA ID GHSA-xxx9-3xcr-gjj3 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================