Nokogiri is an open source XML and HTML library for the Ruby programming language. Nokogiri 1.13.8 and 1.13.9 fail to check the return value from xmlTextReaderExpand in the method Nokogiri::XML::Reader#attribute_hash. This can lead to a null pointer exception when invalid markup is being parsed. For applications using XML::Reader to parse untrusted inputs, this may potentially be a vector for a denial of service attack. Users are advised to upgrade to Nokogiri >= 1.13.10. Users may be able to search their code for calls to either XML::Reader#attributes or XML::Reader#attribute_hash to determine if they are affected.
The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Nokogiri | Nokogiri | 1.13.8 (including) | 1.13.8 (including) |
| Nokogiri | Nokogiri | 1.13.9 (including) | 1.13.9 (including) |
| Ruby-nokogiri | Ubuntu | bionic | * |
| Ruby-nokogiri | Ubuntu | kinetic | * |
| Ruby-nokogiri | Ubuntu | lunar | * |
| Ruby-nokogiri | Ubuntu | mantic | * |
| Ruby-nokogiri | Ubuntu | trusty | * |
| Ruby-nokogiri | Ubuntu | xenial | * |