CVE-2019-13117: Improper Input Validation

June 30, 2019 (updated July 22, 2019)

In numbers.c in libxslt, which is used by nokogiri, an xsl:number with certain format strings could lead to an uninitialized read in xsltNumberFormatInsertNumbers. This could allow an attacker to discern whether a byte on the stack contains the characters [AaIi0], or any other character.

References

bugs.chromium.org/p/oss-fuzz/issues/detail?id=14471
nvd.nist.gov/vuln/detail/CVE-2019-13117

Detect and mitigate CVE-2019-13117 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →