Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWNyNWotOTUzai14dzVw
Nokogiri Command Injection Vulnerability
A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby's Kernel.open method. Processes are vulnerable only if the undocumented method Nokogiri::CSS::Tokenizer#load_file is being called with unsafe user input as the filename. This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWNyNWotOTUzai14dzVw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 4 years ago
Updated: 8 months ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-cr5j-953j-xw5p, CVE-2019-5477
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-5477
- https://github.com/sparklemotion/nokogiri/issues/1915
- https://github.com/tenderlove/rexical/blob/master/CHANGELOG.rdoc
- https://hackerone.com/reports/650835
- https://lists.debian.org/debian-lts-announce/2019/09/msg00027.html
- https://security.gentoo.org/glsa/202006-05
- https://usn.ubuntu.com/4175-1/
- https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html
- https://lists.debian.org/debian-lts-announce/2022/10/msg00019.html
- https://github.com/sparklemotion/nokogiri/commit/5d30128343573a9428c86efc758ba2c66e9f12dc
- https://github.com/tenderlove/rexical/commit/a652474dbc66be350055db3e8f9b3a7b3fd75926
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2019-5477.yml
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rexical/CVE-2019-5477.yml
- https://github.com/advisories/GHSA-cr5j-953j-xw5p
Blast Radius: 59.2
Affected Packages
rubygems:rexical
Dependent packages: 34Dependent repositories: 509
Downloads: 642,830 total
Affected Version Ranges: < 1.0.7
Fixed in: 1.0.7
All affected versions: 1.0.3, 1.0.4, 1.0.5
All unaffected versions: 1.0.7
rubygems:nokogiri
Dependent packages: 8,006Dependent repositories: 1,093,699
Downloads: 781,283,718 total
Affected Version Ranges: < 1.10.4
Fixed in: 1.10.4
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.1.0, 1.1.1, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6, 1.4.7, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.5.7, 1.5.8, 1.5.9, 1.5.10, 1.5.11, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.6.7, 1.6.8, 1.7.0, 1.7.1, 1.7.2, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.8.5, 1.9.0, 1.9.1, 1.10.0, 1.10.1, 1.10.2, 1.10.3
All unaffected versions: 1.10.4, 1.10.5, 1.10.6, 1.10.7, 1.10.8, 1.10.9, 1.10.10, 1.11.0, 1.11.1, 1.11.2, 1.11.3, 1.11.4, 1.11.5, 1.11.6, 1.11.7, 1.12.0, 1.12.1, 1.12.2, 1.12.3, 1.12.4, 1.12.5, 1.13.0, 1.13.1, 1.13.2, 1.13.3, 1.13.4, 1.13.5, 1.13.6, 1.13.7, 1.13.8, 1.13.9, 1.13.10, 1.14.0, 1.14.1, 1.14.2, 1.14.3, 1.14.4, 1.14.5, 1.15.0, 1.15.1, 1.15.2, 1.15.3, 1.15.4, 1.15.5, 1.15.6, 1.16.0, 1.16.1, 1.16.2, 1.16.3, 1.16.4