CVE-2022-23476

Summary

CVE	CVE-2022-23476
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2022-12-08 04:15:00 UTC
Updated	2022-12-10 03:10:00 UTC
Description	Nokogiri is an open source XML and HTML library for the Ruby programming language. Nokogiri `1.13.8` and `1.13.9` fail to check the return value from `xmlTextReaderExpand` in the method `Nokogiri::XML::Reader#attribute_hash`. This can lead to a null pointer exception when invalid markup is being parsed. For applications using `XML::Reader` to parse untrusted inputs, this may potentially be a vector for a denial of service attack. Users are advised to upgrade to Nokogiri `>= 1.13.10`. Users may be able to search their code for calls to either `XML::Reader#attributes` or `XML::Reader#attribute_hash` to determine if they are affected.

Risk And Classification

Problem Types: CWE-476 | CWE-252

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Nokogiri	Nokogiri	1.13.8	All	All	All
Application	Nokogiri	Nokogiri	1.13.9	All	All	All

References

Reference	Source	Link	Tags
fix(cruby): XML::Reader#attribute_hash returns nil on error · sparklemotion/nokogiri@9fe0761 · GitHub	MISC	github.com
Unchecked return value from xmlTextReaderExpand · Advisory · sparklemotion/nokogiri · GitHub	MISC	github.com
Merge pull request #2715 from sparklemotion/flavorjones-fix-reader-er… · sparklemotion/nokogiri@85410e3 · GitHub	MISC	github.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

184494 Debian Security Update for ruby-nokogiri (CVE-2022-23476)
283531 Fedora Security Update for rubygem (FEDORA-2022-acff3f54b2)
283532 Fedora Security Update for rubygem (FEDORA-2022-b5c325caad)
502609 Alpine Linux Security Update for ruby-nokogiri