CVE-2019-5477: Command Injection
(updated )
A command injection vulnerability in Nokogiri allows commands to be executed in a subprocess via Ruby’s Kernel.open
method. Processes are vulnerable only if the undocumented method Nokogiri::CSS::Tokenizer#load_file
is being called with unsafe user input as the filename.
References
Detect and mitigate CVE-2019-5477 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →