title: 'Nokogiri gem contains a heap-based buffer overflow vulnerability in libxml2
Nokogiri version 18.104.22.168 has been released, pulling in several upstream
patches to the vendored libxml2 to address the following CVE:
CVSS v2 Base Score: 5.0 (MEDIUM)
Heap-based buffer overflow in the xmlGROW function in parser.c
in libxml2 before 2.9.3 allows context-dependent attackers to
obtain sensitive process memory information via unspecified
libxml2 could be made to crash if it opened a specially crafted
file. It was discovered that libxml2 incorrectly handled certain
malformed documents. If a user or automated system were tricked
into opening a specially crafted document, an attacker could
possibly cause libxml2 to crash, resulting in a denial of service.
- "< 1.6.0"
- ">= 22.214.171.124"