MEDIUM 5.9

GHSA-286v-pcf5-25rc

Nokogiri Implements libxml2 version vulnerable to null pointer dereferencing

Details

A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the application. The highest threat from this vulnerability is to system availability.

Are you affected?

Enter the version of the package you're using.

Affected packages

RubyGems / nokogiri

Introduced in: 0 Fixed in: 1.11.4

Fix bundle update nokogiri

References

https://nvd.nist.gov/vuln/detail/CVE-2021-3537 [ADVISORY]
https://bugzilla.redhat.com/show_bug.cgi?id=1956522 [WEB]
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2021-3537.yml [WEB]
https://github.com/sparklemotion/nokogiri [PACKAGE]
https://github.com/sparklemotion/nokogiri/blob/2edbbef95f1dc12c1ddc5ebda71b9159026245fe/CHANGELOG.md?plain=1#L722 [WEB]
https://lists.debian.org/debian-lts-announce/2021/05/msg00008.html [WEB]
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BZOMV5J4PMZAORVT64BKLV6YIZAFDGX6 [WEB]
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QVM4UJ3376I6ZVOYMHBNX4GY3NIV52WV [WEB]
https://nokogiri.org/CHANGELOG.html#1114-2021-05-14 [WEB]
https://security.gentoo.org/glsa/202107-05 [WEB]
https://security.netapp.com/advisory/ntap-20210625-0002 [WEB]
https://www.oracle.com/security-alerts/cpuapr2022.html [WEB]
https://www.oracle.com/security-alerts/cpujul2022.html [WEB]
https://www.oracle.com/security-alerts/cpuoct2021.html [WEB]