GHSA-crjr-9rc5-ghw8

Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-crjr-9rc5-ghw8/GHSA-crjr-9rc5-ghw8.json
Aliases
Published
2022-04-11T21:18:06Z
Modified
2022-09-20T03:27:13.895113Z
Details

Summary

Nokogiri < v1.13.4 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents.

Mitigation

Upgrade to Nokogiri >= 1.13.4.

Severity

The Nokogiri maintainers have evaluated this as High Severity 7.5 (CVSS3.1).

References

CWE-1333 Inefficient Regular Expression Complexity

Credit

This vulnerability was reported by HackerOne user ooooooo_q (ななおく).

References

Affected packages

RubyGems / nokogiri

nokogiri

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0
Fixed
1.13.4

Affected versions

1.*

1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.1.0
1.1.1
1.10.0
1.10.0.rc1
1.10.1
1.10.10
1.10.2
1.10.3
1.10.4
1.10.5
1.10.6
1.10.7
1.10.8
1.10.9
1.11.0
1.11.0.rc1
1.11.0.rc2
1.11.0.rc3
1.11.0.rc4
1.11.1
1.11.2
1.11.3
1.11.4
1.11.5
1.11.6
1.11.7
1.12.0
1.12.0.rc1
1.12.1
1.12.2
1.12.3
1.12.4
1.12.5
1.13.0
1.13.1
1.13.2
1.13.3
1.2.0
1.2.1
1.2.2
1.2.3
1.3.0
1.3.1
1.3.2
1.3.3
1.4.0
1.4.1
1.4.2
1.4.2.1
1.4.3
1.4.3.1
1.4.4
1.4.4.1
1.4.4.2
1.4.5
1.4.6
1.4.7
1.5.0
1.5.0.beta.1
1.5.0.beta.2
1.5.0.beta.3
1.5.0.beta.4
1.5.1
1.5.1.rc1
1.5.10
1.5.11
1.5.2
1.5.3
1.5.3.rc2
1.5.3.rc3
1.5.3.rc4
1.5.3.rc5
1.5.3.rc6
1.5.4
1.5.4.rc1
1.5.4.rc2
1.5.4.rc3
1.5.5
1.5.5.rc1
1.5.5.rc2
1.5.5.rc3
1.5.6
1.5.6.rc1
1.5.6.rc2
1.5.6.rc3
1.5.7
1.5.7.rc1
1.5.7.rc2
1.5.7.rc3
1.5.8
1.5.9
1.6.0
1.6.0.rc1
1.6.1
1.6.2
1.6.2.1
1.6.2.rc1
1.6.2.rc2
1.6.2.rc3
1.6.3
1.6.3.1
1.6.3.rc1
1.6.3.rc2
1.6.3.rc3
1.6.4
1.6.4.1
1.6.5
1.6.6.1
1.6.6.2
1.6.6.3
1.6.6.4
1.6.7
1.6.7.1
1.6.7.2
1.6.7.rc2
1.6.7.rc3
1.6.7.rc4
1.6.8
1.6.8.1
1.6.8.rc1
1.6.8.rc2
1.6.8.rc3
1.7.0
1.7.0.1
1.7.1
1.7.2
1.8.0
1.8.1
1.8.2
1.8.3
1.8.4
1.8.5
1.9.0
1.9.0.rc1
1.9.1