CVE-2019-5815 (nokogiri): Nokogiri implementation of libxslt vulnerable to heap corruption

ADVISORIES

CVE-2019-5815 (NVD)
GHSA-vmfx-gcfq-wvm2
Vendor Advisory

GEM

nokogiri

SEVERITY

CVSS v3.x: 7.5 (High)

CVSS v2.0: 5.0 (Medium)

PATCHED VERSIONS

>= 1.10.5

DESCRIPTION

Type confusion in xsltNumberFormatGetMultipleLevel prior to libxslt 1.1.33 could allow attackers to potentially exploit heap corruption via crafted XML data.

Nokogiri prior to version 1.10.5 contains a vulnerable version of libxslt. Nokogiri version 1.10.5 upgrades the dependency to libxslt 1.1.34, which contains a patch for this issue.

https://nvd.nist.gov/vuln/detail/CVE-2019-5815
https://github.com/sparklemotion/nokogiri/issues/2630
https://gitlab.gnome.org/GNOME/libxslt/commit/08b62c25871b38d5d573515ca8a065b4b8f64f6b
https://lists.debian.org/debian-lts-announce/2022/09/msg00010.html
https://github.com/advisories/GHSA-vmfx-gcfq-wvm2

RubySec

CVE-2019-5815 (nokogiri): Nokogiri implementation of libxslt vulnerable to heap corruption

ADVISORIES

GEM

SEVERITY

PATCHED VERSIONS

DESCRIPTION

RELATED

Recent Advisories