CVE-2022-29181

moderate-risk

Published 2022-05-20

Nokogiri is an open source XML and HTML library for Ruby. Nokogiri prior to version 1.13.6 does not type-check all inputs into the XML and HTML4 SAX parsers, allowing specially crafted untrusted inputs to cause illegal memory access errors (segfault) or reads from unrelated memory. Version 1.13.6 contains a patch for this issue. As a workaround, ensure the untrusted input is a `String` by calling `#to_s` or equivalent.

Do I need to act?

4.2% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.2/10 High

NETWORK / LOW complexity

Affected Products (2)

Nokogiri

Macos

Affected Vendors

Apple Nokogiri

References (12)

https://github.com/sparklemotion/nokogiri/commit/83cc451c3f29df397caa890afc3b714...

Patch https://github.com/sparklemotion/nokogiri/commit/db05ba9a1bd4b90aa6c76742cf6102a...

Release Notes https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.6

Issue Tracking https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xh29-r2w5-wx8...

https://securitylab.github.com/advisories/GHSL-2022-031_GHSL-2022-032_Nokogiri

Mailing List http://seclists.org/fulldisclosure/2022/Dec/23

Patch https://github.com/sparklemotion/nokogiri/commit/db05ba9a1bd4b90aa6c76742cf6102a...

Release Notes https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.6

Issue Tracking https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xh29-r2w5-wx8...

Third Party Advisory https://security.gentoo.org/glsa/202208-29

Exploit https://securitylab.github.com/advisories/GHSL-2022-031_GHSL-2022-032_Nokogiri/

Third Party Advisory https://support.apple.com/kb/HT213532

/ 100

moderate-risk

Severity 28/34 · Critical

Exploitability 7/34 · Low

Exposure 7/34 · Low