CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
EPSS
Percentile
46.9%
Nokogiri v1.14.3 upgrades the packaged version of its dependency libxml2 to v2.10.4 from v2.10.3.
libxml2 v2.10.4 addresses the following known vulnerabilities:
Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.14.3
, and only if the packaged libraries are being used. If you’ve overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro’s libxml2
release announcements.
Upgrade to Nokogiri >= 1.14.3
.
Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against external libraries libxml2 >= 2.10.4
which will also address these same issues.
No public information has yet been published about the security-related issues other than the upstream commits. Examination of those changesets indicate that the more serious issues relate to libxml2 dereferencing NULL pointers and potentially segfaulting while parsing untrusted inputs.
The commits can be examined at:
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28484
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29469
github.com/sparklemotion/nokogiri
github.com/sparklemotion/nokogiri/security/advisories/GHSA-pxvg-2qj5-37jq
gitlab.gnome.org/GNOME/libxml2/-/commit/09a2dd453007f9c7205274623acdd73747c22d64
gitlab.gnome.org/GNOME/libxml2/-/commit/4c6922f763ad958c48ff66f82823ae21f2e92ee6
gitlab.gnome.org/GNOME/libxml2/-/commit/647e072ea0a2f12687fa05c172f4c4713fdb0c4f
gitlab.gnome.org/GNOME/libxml2/-/releases/v2.10.4