Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2022-23476

Good to know:

icon

Date: December 7, 2022

Nokogiri is an open source XML and HTML library for the Ruby programming language. Nokogiri "1.13.8" and "1.13.9" fail to check the return value from "xmlTextReaderExpand" in the method "Nokogiri::XML::Reader#attribute_hash". This can lead to a null pointer exception when invalid markup is being parsed. For applications using "XML::Reader" to parse untrusted inputs, this may potentially be a vector for a denial of service attack. Users are advised to upgrade to Nokogiri ">= 1.13.10". Users may be able to search their code for calls to either "XML::Reader#attributes" or "XML::Reader#attribute_hash" to determine if they are affected.

Language: Ruby

Severity Score

Related Resources (8)

https://nvd.nist.gov/vuln/detail/CVE-2022-23476
https://github.com/sparklemotion/nokogiri/commit/9fe0761c47c0d4270d1a5220cfd25de080350d50
https://security-tracker.debian.org/tracker/CVE-2022-23476
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2022-23476.yml
https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-qv4q-mr5r-qprj
https://github.com/sparklemotion/nokogiri
https://github.com/sparklemotion/nokogiri/commit/85410e38410f670cbbc8c5b00d07b843caee88ce
https://www.mend.io/vulnerability-database/CVE-2022-23476

Severity Score

Weakness Type (CWE)

NULL Pointer Dereference

CWE-476

Unchecked Return Value

CWE-252

Top Fix

icon

Upgrade Version

Upgrade to version nokogiri - 1.13.10

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): NONE
Integrity (I): NONE
Availability (A): HIGH

Do you need more information?

Contact Us