Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS12NmdwLTltbW0tYzZwNc054w
Out-of-bounds Write in zlib affects Nokogiri
Summary
Nokogiri v1.13.4 updates the vendored zlib from 1.2.11 to 1.2.12, which addresses CVE-2018-25032. That CVE is scored as CVSS 7.4 "High" on the NVD record as of 2022-04-05.
Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.13.4, and only if the packaged version of zlib is being used. Please see this document for a complete description of which platform gems vendor zlib. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's zlib release announcements.
Mitigation
Upgrade to Nokogiri >= v1.13.4.
Impact
CVE-2018-25032 in zlib
- Severity: High
- Type: CWE-787 Out of bounds write
- Description: zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12NmdwLTltbW0tYzZwNc054w
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 3 years ago
Updated: about 2 years ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-v6gp-9mmm-c6p5
References:
- https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v6gp-9mmm-c6p5
- https://nvd.nist.gov/vuln/detail/CVE-2018-25032
- https://github.com/advisories/GHSA-jc36-42cf-vqwj
- https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.4
- https://groups.google.com/g/ruby-security-ann/c/vX7qSjsvWis/m/TJWN4oOKBwAJ?utm_medium=email&utm_source=footer
- https://github.com/advisories/GHSA-v6gp-9mmm-c6p5
Blast Radius: 45.3
Affected Packages
rubygems:nokogiri
Dependent packages: 8,056Dependent repositories: 1,093,699
Downloads: 899,941,549 total
Affected Version Ranges: < 1.13.4
Fixed in: 1.13.4
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.1.0, 1.1.1, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6, 1.4.7, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.5.7, 1.5.8, 1.5.9, 1.5.10, 1.5.11, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.6.7, 1.6.8, 1.7.0, 1.7.1, 1.7.2, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.8.5, 1.9.0, 1.9.1, 1.10.0, 1.10.1, 1.10.2, 1.10.3, 1.10.4, 1.10.5, 1.10.6, 1.10.7, 1.10.8, 1.10.9, 1.10.10, 1.11.0, 1.11.1, 1.11.2, 1.11.3, 1.11.4, 1.11.5, 1.11.6, 1.11.7, 1.12.0, 1.12.1, 1.12.2, 1.12.3, 1.12.4, 1.12.5, 1.13.0, 1.13.1, 1.13.2, 1.13.3
All unaffected versions: 1.13.4, 1.13.5, 1.13.6, 1.13.7, 1.13.8, 1.13.9, 1.13.10, 1.14.0, 1.14.1, 1.14.2, 1.14.3, 1.14.4, 1.14.5, 1.15.0, 1.15.1, 1.15.2, 1.15.3, 1.15.4, 1.15.5, 1.15.6, 1.15.7, 1.16.0, 1.16.1, 1.16.2, 1.16.3, 1.16.4, 1.16.5, 1.16.6, 1.16.7, 1.16.8, 1.17.0, 1.17.1, 1.17.2, 1.18.0, 1.18.1, 1.18.2