Nokogiri is vulnerable to attacks through a copied version of LibXML2 within the codebase. LibXML2 before 2.9.5 is vulnerable to CVE-2017-18258 - the LibXML2 decoder does not limit memory usage for what is required when decoding LZMA files.
CPE | Name | Operator | Version |
---|---|---|---|
nokogiri | le | 1.8.1 | |
libxml2 | eq | 2.9.1__5.ael7b_1.2 | |
libxml2:buster | eq | 2.9.4+dfsg1-7+b3 | |
libxml2:stretch | eq | 2.9.4+dfsg1-2.2+deb9u2 | |
libxml2 | le | 2.7.8.7 |
git.gnome.org/browse/libxml2/commit/?id=e2a9122b8dde53d320750451e9907a7dcb2ca8bb
kc.mcafee.com/corporate/index?page=content&id=SB10284
lists.debian.org/debian-lts-announce/2018/09/msg00035.html
lists.debian.org/debian-lts-announce/2020/09/msg00009.html
nvd.nist.gov/vuln/detail/CVE-2017-18258
security.netapp.com/advisory/ntap-20190719-0001/
usn.ubuntu.com/3739-1/