CVE-2022-23476

NameCVE-2022-23476
DescriptionNokogiri is an open source XML and HTML library for the Ruby programming language. Nokogiri `1.13.8` and `1.13.9` fail to check the return value from `xmlTextReaderExpand` in the method `Nokogiri::XML::Reader#attribute_hash`. This can lead to a null pointer exception when invalid markup is being parsed. For applications using `XML::Reader` to parse untrusted inputs, this may potentially be a vector for a denial of service attack. Users are advised to upgrade to Nokogiri `>= 1.13.10`. Users may be able to search their code for calls to either `XML::Reader#attributes` or `XML::Reader#attribute_hash` to determine if they are affected.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ruby-nokogiri (PTS)buster1.10.0+dfsg1-2fixed
buster (security)1.10.0+dfsg1-2+deb10u1fixed
bullseye1.11.1+dfsg-2fixed
bookworm, sid1.13.10+dfsg-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ruby-nokogirisourcebuster(not affected)
ruby-nokogirisourcebullseye(not affected)
ruby-nokogirisource(unstable)1.13.10+dfsg-1

Notes

[bullseye] - ruby-nokogiri <not-affected> (Introduced in 1.13.8)
[buster] - ruby-nokogiri <not-affected> (Introduced in 1.13.8)
https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-qv4q-mr5r-qprj
https://github.com/sparklemotion/nokogiri/commit/9fe0761c47c0d4270d1a5220cfd25de080350d50 (v1.13.10)
Search for package or bug name: Reporting problems