CVE-2022-23476
CVSS V2 None
CVSS V3 None
Description
Nokogiri is an open source XML and HTML library for the Ruby programming language. Nokogiri `1.13.8` and `1.13.9` fail to check the return value from `xmlTextReaderExpand` in the method `Nokogiri::XML::Reader#attribute_hash`. This can lead to a null pointer exception when invalid markup is being parsed. For applications using `XML::Reader` to parse untrusted inputs, this may potentially be a vector for a denial of service attack. Users are advised to upgrade to Nokogiri `>= 1.13.10`. Users may be able to search their code for calls to either `XML::Reader#attributes` or `XML::Reader#attribute_hash` to determine if they are affected.
Overview
- CVE ID
- CVE-2022-23476
- Assigner
- security-advisories@github.com
- Vulnerability Status
- Analyzed
- Published Version
- 2022-12-08T04:15:09
- Last Modified Date
- 2022-12-10T03:10:55
Weakness Enumerations
CPE Configuration (Product)
| CPE | Vulnerable | Operator | Version Start | Version End |
|---|---|---|---|---|
| cpe:2.3:a:nokogiri:nokogiri:1.13.8:*:*:*:*:ruby:*:* | 1 | OR | ||
| cpe:2.3:a:nokogiri:nokogiri:1.13.9:*:*:*:*:ruby:*:* | 1 | OR |
References
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2022-23476 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23476 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2022-12-08 04:38:29 | Added to TrackCVE | |||
| 2022-12-09 20:16:38 | 2022-12-08T04:15:09.043 | 2022-12-08T04:15:09 | CVE Published Date | updated |
| 2022-12-09 20:16:38 | 2022-12-08T04:33:59 | CVE Modified Date | updated | |
| 2022-12-09 20:16:38 | Awaiting Analysis | Undergoing Analysis | Vulnerability Status | updated |
| 2022-12-10 03:15:15 | 2022-12-10T03:10:55 | CVE Modified Date | updated | |
| 2022-12-10 03:15:15 | Undergoing Analysis | Analyzed | Vulnerability Status | updated |
| 2022-12-10 03:15:16 | CPE Information | updated |