RubySec

Providing security resources for the Ruby community

CVE-2016-4658 (nokogiri): Nokogiri gem contains several vulnerabilities in libxml2 and libxslt

ADVISORIES

GEM

nokogiri

SEVERITY

CVSS v3: 9.8 (Critical)

CVSS v2: 10.0 (High)

PATCHED VERSIONS

  • >= 1.7.1

DESCRIPTION

Nokogiri version 1.7.1 has been released, pulling in several upstream patches to the vendored libxml2 to address the following CVEs:

CVE-2016-4658 CVSS v3 Base Score: 9.8 (Critical) libxml2 in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document.

CVE-2016-5131 CVSS v3 Base Score: 8.8 (HIGH) Use-after-free vulnerability in libxml2 through 2.9.4, as used in Google Chrome before 52.0.2743.82, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function.