rpm package
opensuse/rubygem-nokogiri&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/rubygem-nokogiri&distro=openSUSE%20Tumbleweed
Vulnerabilities (44)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-29469 | Med | 6.5 | < 1.15.5-1.5 | 1.15.5-1.5 | Apr 24, 2023 | An issue was discovered in libxml2 before 2.10.4. When hashing empty dict strings in a crafted XML document, xmlDictComputeFastKey in dict.c can produce non-deterministic values, leading to various logic and memory errors, such as a double free. This behavior occurs because there | |
| CVE-2022-23476 | Hig | 7.5 | < 1.15.5-1.5 | 1.15.5-1.5 | Dec 8, 2022 | Nokogiri is an open source XML and HTML library for the Ruby programming language. Nokogiri `1.13.8` and `1.13.9` fail to check the return value from `xmlTextReaderExpand` in the method `Nokogiri::XML::Reader#attribute_hash`. This can lead to a null pointer exception when invalid | |
| CVE-2022-34169 | Hig | 7.5 | < 1.15.5-1.5 | 1.15.5-1.5 | Jul 19, 2022 | The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Users are recommended to update t | |
| CVE-2022-29181 | Hig | 8.2 | < 1.13.6-1.1 | 1.13.6-1.1 | May 20, 2022 | Nokogiri is an open source XML and HTML library for Ruby. Nokogiri prior to version 1.13.6 does not type-check all inputs into the XML and HTML4 SAX parsers, allowing specially crafted untrusted inputs to cause illegal memory access errors (segfault) or reads from unrelated memor | |
| CVE-2022-29824 | Med | 6.5 | < 1.13.6-1.1 | 1.13.6-1.1 | May 3, 2022 | In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software usin | |
| CVE-2022-24839 | Hig | 7.5 | < 1.13.4-1.1 | 1.13.4-1.1 | Apr 11, 2022 | org.cyberneko.html is an html parser written in Java. The fork of `org.cyberneko.html` used by Nokogiri (Rubygem) raises a `java.lang.OutOfMemoryError` exception when parsing ill-formed HTML markup. Users are advised to upgrade to `>= 1.9.22.noko2`. Note: The upstream library `or | |
| CVE-2022-24836 | Hig | 7.5 | < 1.13.4-1.1 | 1.13.4-1.1 | Apr 11, 2022 | Nokogiri is an open source XML and HTML library for Ruby. Nokogiri `< v1.13.4` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Users are advised to upgrade to Nokogiri `>= 1.13.4`. Ther | |
| CVE-2018-25032 | Hig | 7.5 | < 1.13.4-1.1 | 1.13.4-1.1 | Mar 25, 2022 | zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches. | |
| CVE-2022-23308 | Hig | 7.5 | < 1.13.3-1.1 | 1.13.3-1.1 | Feb 26, 2022 | valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF attributes. | |
| CVE-2022-23437 | Med | 6.5 | < 1.13.4-1.1 | 1.13.4-1.1 | Jan 24, 2022 | There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerabili | |
| CVE-2021-41098 | Hig | 7.5 | < 1.12.5-1.1 | 1.12.5-1.1 | Sep 27, 2021 | Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default. Users of Nokogiri on JRuby who parse untrusted documents using any of thes | |
| CVE-2021-30560 | Hig | 8.8 | < 1.13.3-1.1 | 1.13.3-1.1 | Aug 3, 2021 | Use after free in Blink XSLT in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |
| CVE-2021-3541 | Med | 6.5 | < 1.13.3-1.1 | 1.13.3-1.1 | Jul 9, 2021 | A flaw was found in libxml2. Exponential entity expansion attack its possible bypassing all existing protection mechanisms and leading to denial of service. | |
| CVE-2021-3516 | Hig | 7.8 | < 1.13.3-1.1 | 1.13.3-1.1 | Jun 1, 2021 | There's a flaw in libxml2's xmllint in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by xmllint could trigger a use-after-free. The greatest impact of this flaw is to confidentiality, integrity, and availability. | |
| CVE-2021-3517 | Hig | 8.6 | < 1.13.3-1.1 | 1.13.3-1.1 | May 19, 2021 | There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely | |
| CVE-2021-3518 | Hig | 8.8 | < 1.13.3-1.1 | 1.13.3-1.1 | May 18, 2021 | There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability. | |
| CVE-2021-3537 | Med | 5.9 | < 1.13.3-1.1 | 1.13.3-1.1 | May 14, 2021 | A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the applicat | |
| CVE-2020-24977 | Med | 6.5 | < 1.13.3-1.1 | 1.13.3-1.1 | Sep 4, 2020 | GNOME project libxml2 v2.9.10 has a global buffer over-read vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c. The issue has been fixed in commit 50f06b3e. | |
| CVE-2020-7595 | Hig | 7.5 | < 1.13.3-1.1 | 1.13.3-1.1 | Jan 21, 2020 | xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation. | |
| CVE-2019-20388 | Hig | 7.5 | < 1.13.3-1.1 | 1.13.3-1.1 | Jan 21, 2020 | xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an xmlSchemaValidateStream memory leak. |
- affected < 1.15.5-1.5fixed 1.15.5-1.5
An issue was discovered in libxml2 before 2.10.4. When hashing empty dict strings in a crafted XML document, xmlDictComputeFastKey in dict.c can produce non-deterministic values, leading to various logic and memory errors, such as a double free. This behavior occurs because there
- affected < 1.15.5-1.5fixed 1.15.5-1.5
Nokogiri is an open source XML and HTML library for the Ruby programming language. Nokogiri `1.13.8` and `1.13.9` fail to check the return value from `xmlTextReaderExpand` in the method `Nokogiri::XML::Reader#attribute_hash`. This can lead to a null pointer exception when invalid
- affected < 1.15.5-1.5fixed 1.15.5-1.5
The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Users are recommended to update t
- affected < 1.13.6-1.1fixed 1.13.6-1.1
Nokogiri is an open source XML and HTML library for Ruby. Nokogiri prior to version 1.13.6 does not type-check all inputs into the XML and HTML4 SAX parsers, allowing specially crafted untrusted inputs to cause illegal memory access errors (segfault) or reads from unrelated memor
- affected < 1.13.6-1.1fixed 1.13.6-1.1
In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software usin
- affected < 1.13.4-1.1fixed 1.13.4-1.1
org.cyberneko.html is an html parser written in Java. The fork of `org.cyberneko.html` used by Nokogiri (Rubygem) raises a `java.lang.OutOfMemoryError` exception when parsing ill-formed HTML markup. Users are advised to upgrade to `>= 1.9.22.noko2`. Note: The upstream library `or
- affected < 1.13.4-1.1fixed 1.13.4-1.1
Nokogiri is an open source XML and HTML library for Ruby. Nokogiri `< v1.13.4` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Users are advised to upgrade to Nokogiri `>= 1.13.4`. Ther
- affected < 1.13.4-1.1fixed 1.13.4-1.1
zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.
- affected < 1.13.3-1.1fixed 1.13.3-1.1
valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF attributes.
- affected < 1.13.4-1.1fixed 1.13.4-1.1
There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerabili
- affected < 1.12.5-1.1fixed 1.12.5-1.1
Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default. Users of Nokogiri on JRuby who parse untrusted documents using any of thes
- affected < 1.13.3-1.1fixed 1.13.3-1.1
Use after free in Blink XSLT in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
- affected < 1.13.3-1.1fixed 1.13.3-1.1
A flaw was found in libxml2. Exponential entity expansion attack its possible bypassing all existing protection mechanisms and leading to denial of service.
- affected < 1.13.3-1.1fixed 1.13.3-1.1
There's a flaw in libxml2's xmllint in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by xmllint could trigger a use-after-free. The greatest impact of this flaw is to confidentiality, integrity, and availability.
- affected < 1.13.3-1.1fixed 1.13.3-1.1
There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely
- affected < 1.13.3-1.1fixed 1.13.3-1.1
There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability.
- affected < 1.13.3-1.1fixed 1.13.3-1.1
A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the applicat
- affected < 1.13.3-1.1fixed 1.13.3-1.1
GNOME project libxml2 v2.9.10 has a global buffer over-read vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c. The issue has been fixed in commit 50f06b3e.
- affected < 1.13.3-1.1fixed 1.13.3-1.1
xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation.
- affected < 1.13.3-1.1fixed 1.13.3-1.1
xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an xmlSchemaValidateStream memory leak.
Page 1 of 3