Nokogiri implementation of libxslt vulnerable to heap corruption
Published: May 24, 2022
SECURITY IDENTIFIERS
- CVE: CVE-2019-5815 (NVD)
- GHSA: GHSA-vmfx-gcfq-wvm2
- Vendor Advisory: https://github.com/sparklemotion/nokogiri/issues/2630
GEM
SEVERITY
PATCHED VERSIONS
>= 1.10.5
DESCRIPTION
Type confusion in xsltNumberFormatGetMultipleLevel prior to
libxslt 1.1.33 could allow attackers to potentially exploit heap
corruption via crafted XML data.
Nokogiri prior to version 1.10.5 contains a vulnerable version of libxslt. Nokogiri version 1.10.5 upgrades the dependency to libxslt 1.1.34, which contains a patch for this issue.
RELATED
- https://nvd.nist.gov/vuln/detail/CVE-2019-5815
- https://github.com/sparklemotion/nokogiri/issues/2630
- https://gitlab.gnome.org/GNOME/libxslt/commit/08b62c25871b38d5d573515ca8a065b4b8f64f6b
- https://lists.debian.org/debian-lts-announce/2022/09/msg00010.html
- https://github.com/advisories/GHSA-vmfx-gcfq-wvm2