VYPR

rpm package

opensuse/rubygem-nokogiri&distro=openSUSE Tumbleweed

pkg:rpm/opensuse/rubygem-nokogiri&distro=openSUSE%20Tumbleweed

Vulnerabilities (44)

  • CVE-2019-5477Aug 16, 2019
    affected < 1.13.3-1.1fixed 1.13.3-1.1

    A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby's `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being called with unsafe user input a

  • CVE-2019-11068CriApr 10, 2019
    affected < 1.13.3-1.1fixed 1.13.3-1.1

    libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded.

  • CVE-2017-15412HigAug 28, 2018
    affected < 1.13.3-1.1fixed 1.13.3-1.1

    Use after free in libxml2 before 2.9.5, as used in Google Chrome prior to 63.0.3239.84 and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

  • CVE-2018-14404MedJul 19, 2018
    affected < 1.13.3-1.1fixed 1.13.3-1.1

    A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case. Applications processing untrusted XSL format inputs with the use of the libxml2

  • CVE-2018-8048MedMar 27, 2018
    affected < 1.13.3-1.1fixed 1.13.3-1.1

    In the Loofah gem through 2.2.0 for Ruby, non-whitelisted HTML attributes may occur in sanitized output by republishing a crafted HTML fragment.

  • CVE-2017-5029HigApr 24, 2017
    affected < 1.13.3-1.1fixed 1.13.3-1.1

    The xsltAddTextString function in transform.c in libxslt 1.1.29, as used in Blink in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android, lacked a check for integer overflow during a size calculation, which allowed a remote attacker to pe

  • CVE-2016-4738HigSep 25, 2016
    affected < 1.13.3-1.1fixed 1.13.3-1.1

    libxslt in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site.

  • CVE-2016-4658CriSep 25, 2016
    affected < 1.13.3-1.1fixed 1.13.3-1.1

    xpointer.c in libxml2 before 2.9.5 (as used in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3, and other products) does not forbid namespace nodes in XPointer ranges, which allows remote attackers to execute arbitrary code or cause a denial of servic

  • CVE-2016-5131HigJul 23, 2016
    affected < 1.13.3-1.1fixed 1.13.3-1.1

    Use-after-free vulnerability in libxml2 through 2.9.4, as used in Google Chrome before 52.0.2743.82, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function.

  • CVE-2015-8317Dec 15, 2015
    affected < 1.6.8.1-1.3fixed 1.6.8.1-1.3

    The xmlParseXMLDecl function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to obtain sensitive information via an (1) unterminated encoding value or (2) incomplete XML declaration in XML data, which triggers an out-of-bounds heap read.

  • CVE-2015-8242Dec 15, 2015
    affected < 1.6.8.1-1.3fixed 1.6.8.1-1.3

    The xmlSAX2TextNode function in SAX2.c in the push interface in the HTML parser in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service (stack-based buffer over-read and application crash) or obtain sensitive information via crafted XML data.

  • CVE-2015-8241Dec 15, 2015
    affected < 1.6.8.1-1.3fixed 1.6.8.1-1.3

    The xmlNextChar function in libxml2 2.9.2 does not properly check the state, which allows context-dependent attackers to cause a denial of service (heap-based buffer over-read and application crash) or obtain sensitive information via crafted XML data.

  • CVE-2015-7500Dec 15, 2015
    affected < 1.6.8.1-1.3fixed 1.6.8.1-1.3

    The xmlParseMisc function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service (out-of-bounds heap read) via unspecified vectors related to incorrect entities boundaries and start tags.

  • CVE-2015-7499Dec 15, 2015
    affected < 1.6.8.1-1.3fixed 1.6.8.1-1.3

    Heap-based buffer overflow in the xmlGROW function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to obtain sensitive process memory information via unspecified vectors.

  • CVE-2015-7498Dec 15, 2015
    affected < 1.6.8.1-1.3fixed 1.6.8.1-1.3

    Heap-based buffer overflow in the xmlParseXmlDecl function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service via unspecified vectors related to extracting errors after an encoding conversion failure.

  • CVE-2015-7497Dec 15, 2015
    affected < 1.6.8.1-1.3fixed 1.6.8.1-1.3

    Heap-based buffer overflow in the xmlDictComputeFastQKey function in dict.c in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service via unspecified vectors.

  • CVE-2015-5312Dec 15, 2015
    affected < 1.6.8.1-1.3fixed 1.6.8.1-1.3

    The xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.3 does not properly prevent entity expansion, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted XML data, a different vulnerability than CVE-2014-3660.

  • CVE-2015-8035Nov 18, 2015
    affected < 1.6.8.1-1.3fixed 1.6.8.1-1.3

    The xz_decomp function in xzlib.c in libxml2 2.9.1 does not properly detect compression errors, which allows context-dependent attackers to cause a denial of service (process hang) via crafted XML data.

  • CVE-2015-7942Nov 18, 2015
    affected < 1.6.8.1-1.3fixed 1.6.8.1-1.3

    The xmlParseConditionalSections function in parser.c in libxml2 does not properly skip intermediary entities when it stops parsing invalid input, which allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) via crafted XML data, a different

  • CVE-2015-7941Nov 18, 2015
    affected < 1.6.8.1-1.3fixed 1.6.8.1-1.3

    libxml2 2.9.2 does not properly stop parsing invalid input, which allows context-dependent attackers to cause a denial of service (out-of-bounds read and libxml2 crash) via crafted XML data to the (1) xmlParseEntityDecl or (2) xmlParseConditionalSections function in parser.c, as