GHSA-fr52-4hqw-p27f

Source

https://github.com/advisories/GHSA-fr52-4hqw-p27f

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/08/GHSA-fr52-4hqw-p27f/GHSA-fr52-4hqw-p27f.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-fr52-4hqw-p27f

Aliases

CVE-2016-4658

Published

2018-08-21T19:03:26Z

Modified

2024-02-16T08:15:24.828530Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Nokogiri does not forbid namespace nodes in XPointer ranges

Details

xpointer.c in libxml2 before 2.9.5 (as used in nokogiri before 1.7.1 amongst other products) does not forbid namespace nodes in XPointer ranges, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and memory corruption) via a crafted XML document.

References

Affected packages

RubyGems / nokogiri

Package

Name: nokogiri
Purl: pkg:gem/nokogiri

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.7.1

Affected versions

1.*

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.1.0

1.1.1

1.2.0

1.2.1

1.2.2

1.2.3

1.3.0

1.3.1

1.3.2

1.3.3

1.4.0

1.4.1

1.4.2

1.4.2.1

1.4.3

1.4.3.1

1.4.4

1.4.4.1

1.4.4.2

1.4.5

1.4.6

1.4.7

1.5.0.beta.1

1.5.0.beta.2

1.5.0.beta.3

1.5.0.beta.4

1.5.0

1.5.1.rc1

1.5.1

1.5.2

1.5.3.rc2

1.5.3.rc3

1.5.3.rc4

1.5.3.rc5

1.5.3.rc6

1.5.3

1.5.4.rc1

1.5.4.rc2

1.5.4.rc3

1.5.4

1.5.5.rc1

1.5.5.rc2

1.5.5.rc3

1.5.5

1.5.6.rc1

1.5.6.rc2

1.5.6.rc3

1.5.6

1.5.7.rc1

1.5.7.rc2

1.5.7.rc3

1.5.7

1.5.8

1.5.9

1.5.10

1.5.11

1.6.0.rc1

1.6.0

1.6.1

1.6.2.rc1

1.6.2.rc2

1.6.2.rc3

1.6.2

1.6.2.1

1.6.3.rc1

1.6.3.rc2

1.6.3.rc3

1.6.3

1.6.3.1

1.6.4

1.6.4.1

1.6.5

1.6.6.1

1.6.6.2

1.6.6.3

1.6.6.4

1.6.7.rc2

1.6.7.rc3

1.6.7.rc4

1.6.7

1.6.7.1

1.6.7.2

1.6.8.rc1

1.6.8.rc2

1.6.8.rc3

1.6.8

1.6.8.1

1.7.0

1.7.0.1