CVE-2022-29181: Nokogiri Improperly Handles Unexpected Data Type
(updated )
Nokogiri < v1.13.6
does not type-check all inputs into the XML and HTML4 SAX parsers. For CRuby users, this may allow specially crafted untrusted inputs to cause illegal memory access errors (segfault) or reads from unrelated memory.
References
- github.com/advisories/GHSA-xh29-r2w5-wx8m
- github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2022-29181.yml
- github.com/sparklemotion/nokogiri
- github.com/sparklemotion/nokogiri/commit/83cc451c3f29df397caa890afc3b714eae6ab8f7
- github.com/sparklemotion/nokogiri/commit/db05ba9a1bd4b90aa6c76742cf6102a7c7297267
- github.com/sparklemotion/nokogiri/releases/tag/v1.13.6
- github.com/sparklemotion/nokogiri/security/advisories/GHSA-xh29-r2w5-wx8m
- nvd.nist.gov/vuln/detail/CVE-2022-29181
- security.gentoo.org/glsa/202208-29
- securitylab.github.com/advisories/GHSL-2022-031_GHSL-2022-032_Nokogiri
- support.apple.com/kb/HT213532
Code Behaviors & Features
Detect and mitigate CVE-2022-29181 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →