GHSA-4hm9-844j-jmxp
Suggest an improvement- Source
- https://github.com/advisories/GHSA-4hm9-844j-jmxp
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-4hm9-844j-jmxp/GHSA-4hm9-844j-jmxp.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-4hm9-844j-jmxp
- Aliases
- Published
- 2022-05-24T16:49:06Z
- Modified
- 2024-12-07T05:39:10.962514Z
- Summary
- Uninitialized read in Nokogiri gem
- Details
-
In numbers.c in libxslt 1.1.33, an xsl:number with certain format strings could lead to a uninitialized read in xsltNumberFormatInsertNumbers. This could allow an attacker to discern whether a byte on the stack contains the characters A, a, I, i, or 0, or any other character.
- Database specific
{ "nvd_published_at": "2019-07-01T02:15:00Z", "cwe_ids": [ "CWE-908" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2023-06-09T23:00:36Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2019-13117
- https://github.com/sparklemotion/nokogiri/issues/1943
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14471
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2019-13117.yml
- https://gitlab.gnome.org/GNOME/libxslt/commit/c5eb6cf3aba0af048596106ed839b4ae17ecbcb1
- https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2019/07/msg00020.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IOYJKXPQCUNBMMQJWYXOR6QRUJZHEDRZ
- https://oss-fuzz.com/testcase-detail/5631739747106816
- https://security.netapp.com/advisory/ntap-20190806-0004
- https://security.netapp.com/advisory/ntap-20200122-0003
- https://usn.ubuntu.com/4164-1
- https://www.oracle.com/security-alerts/cpujan2020.html
- http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00062.html
- http://www.openwall.com/lists/oss-security/2019/11/17/2
Affected packages
RubyGems / nokogiri
Package
- Name
- nokogiri
- Purl
- pkg:gem/nokogiri
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.10.5
Affected versions
1.*
1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.1.0
1.1.1
1.2.0
1.2.1
1.2.2
1.2.3
1.3.0
1.3.1
1.3.2
1.3.3
1.4.0
1.4.1
1.4.2
1.4.2.1
1.4.3
1.4.3.1
1.4.4
1.4.4.1
1.4.4.2
1.4.5
1.4.6
1.4.7
1.5.0.beta.1
1.5.0.beta.2
1.5.0.beta.3
1.5.0.beta.4
1.5.0
1.5.1.rc1
1.5.1
1.5.2
1.5.3.rc2
1.5.3.rc3
1.5.3.rc4
1.5.3.rc5
1.5.3.rc6
1.5.3
1.5.4.rc1
1.5.4.rc2
1.5.4.rc3
1.5.4
1.5.5.rc1
1.5.5.rc2
1.5.5.rc3
1.5.5
1.5.6.rc1
1.5.6.rc2
1.5.6.rc3
1.5.6
1.5.7.rc1
1.5.7.rc2
1.5.7.rc3
1.5.7
1.5.8
1.5.9
1.5.10
1.5.11
1.6.0.rc1
1.6.0
1.6.1
1.6.2.rc1
1.6.2.rc2
1.6.2.rc3
1.6.2
1.6.2.1
1.6.3.rc1
1.6.3.rc2
1.6.3.rc3
1.6.3
1.6.3.1
1.6.4
1.6.4.1
1.6.5
1.6.6.1
1.6.6.2
1.6.6.3
1.6.6.4
1.6.7.rc2
1.6.7.rc3
1.6.7.rc4
1.6.7
1.6.7.1
1.6.7.2
1.6.8.rc1
1.6.8.rc2
1.6.8.rc3
1.6.8
1.6.8.1
1.7.0
1.7.0.1
1.7.1
1.7.2
1.8.0
1.8.1
1.8.2
1.8.3
1.8.4
1.8.5
1.9.0.rc1
1.9.0
1.9.1
1.10.0.rc1
1.10.0
1.10.1
1.10.2
1.10.3
1.10.4