Nokogiri is an open source XML and HTML library for Ruby. Nokogiri prior to version 1.13.6 does not type-check all inputs into the XML and HTML4 SAX parsers, allowing specially crafted untrusted inputs to cause illegal memory access errors (segfault) or reads from unrelated memory. Version 1.13.6 contains a patch for this issue. As a workaround, ensure the untrusted input is a String
by calling #to_s
or equivalent.
The product does not handle or incorrectly handles when a particular element is not the expected type, e.g. it expects a digit (0-9) but is provided with a letter (A-Z).
Name | Vendor | Start Version | End Version |
---|---|---|---|
Nokogiri | Nokogiri | * | 1.13.6 (excluding) |
Red Hat Satellite 6.12 for RHEL 8 | RedHat | rubygem-nokogiri-0:1.13.8-1.el8sat | * |
Red Hat Satellite 6.12 for RHEL 8 | RedHat | rubygem-nokogiri-0:1.13.8-1.el8sat | * |
Ruby-nokogiri | Ubuntu | bionic | * |
Ruby-nokogiri | Ubuntu | esm-apps/focal | * |
Ruby-nokogiri | Ubuntu | esm-apps/jammy | * |
Ruby-nokogiri | Ubuntu | focal | * |
Ruby-nokogiri | Ubuntu | impish | * |
Ruby-nokogiri | Ubuntu | jammy | * |
Ruby-nokogiri | Ubuntu | kinetic | * |
Ruby-nokogiri | Ubuntu | lunar | * |
Ruby-nokogiri | Ubuntu | mantic | * |
Ruby-nokogiri | Ubuntu | trusty/esm | * |
Ruby-nokogiri | Ubuntu | upstream | * |