Vulnerabilities > CVE-2022-29181 - Type Confusion vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
LOW Integrity impact
NONE Availability impact
HIGH Summary
Nokogiri is an open source XML and HTML library for Ruby. Nokogiri prior to version 1.13.6 does not type-check all inputs into the XML and HTML4 SAX parsers, allowing specially crafted untrusted inputs to cause illegal memory access errors (segfault) or reads from unrelated memory. Version 1.13.6 contains a patch for this issue. As a workaround, ensure the untrusted input is a `String` by calling `#to_s` or equivalent.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
References
- http://seclists.org/fulldisclosure/2022/Dec/23
- https://github.com/sparklemotion/nokogiri/commit/83cc451c3f29df397caa890afc3b714eae6ab8f7
- https://github.com/sparklemotion/nokogiri/commit/db05ba9a1bd4b90aa6c76742cf6102a7c7297267
- https://github.com/sparklemotion/nokogiri/commit/db05ba9a1bd4b90aa6c76742cf6102a7c7297267
- https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.6
- https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.6
- https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xh29-r2w5-wx8m
- https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xh29-r2w5-wx8m
- https://security.gentoo.org/glsa/202208-29
- https://securitylab.github.com/advisories/GHSL-2022-031_GHSL-2022-032_Nokogiri
- https://securitylab.github.com/advisories/GHSL-2022-031_GHSL-2022-032_Nokogiri/
- https://support.apple.com/kb/HT213532