Rubysec

Providing security resources for the Ruby community.
Follow us @rubysec or email us via info at rubysec.com

Advisory Archive

Back

---
gem: nokogiri
date: 2019-08-11
url: https://github.com/sparklemotion/nokogiri/issues/1915
cve: 2019-5477
title: Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file
description: |
  A command injection vulnerability in Nokogiri v1.10.3 and earlier allows
  commands to be executed in a subprocess by Ruby's `Kernel.open` method.
  Processes are vulnerable only if the undocumented method
  `Nokogiri::CSS::Tokenizer#load_file` is being passed untrusted user input.

  This vulnerability appears in code generated by the Rexical gem versions
  v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner
  code for parsing CSS queries. The underlying vulnerability was addressed in
  Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in
  Nokogiri v1.10.4.

  Upgrade to Nokogiri v1.10.4, or avoid calling the undocumented method
  `Nokogiri::CSS::Tokenizer#load_file` with untrusted user input.
cvss_v2: '7.5'
cvss_v3: '9.8'
patched_versions:
- ">= 1.10.4"
related:
  url: '["https://github.com/tenderlove/rexical/commit/a652474dbc66be350055db3e8f9b3a7b3fd75926",
    "https://groups.google.com/forum/#!msg/ruby-security-ann/YMnKFsASOAE/Fw3ocLI0BQAJ"]'