Nokogiri implementation of libxslt vulnerable to heap corruption

GHSA-vmfx-gcfq-wvm2 · CVE-2019-5815

Published May 24, 2022 · Modified Feb 16, 2024

Description

Type confusion in xsltNumberFormatGetMultipleLevel prior to libxslt 1.1.33 could allow attackers to potentially exploit heap corruption via crafted XML data.

Nokogiri prior to version 1.10.5 contains a vulnerable version of libxslt. Nokogiri version 1.10.5 upgrades the dependency to libxslt 1.1.34, which contains a patch for this issue.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2019-5815
WEB https://github.com/sparklemotion/nokogiri/issues/2630
WEB https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2019-5815.yml
PACKAGE https://github.com/sparklemotion/nokogiri
WEB https://gitlab.gnome.org/GNOME/libxslt/commit/08b62c25871b38d5d573515ca8a065b4b8f64f6b
WEB https://lists.debian.org/debian-lts-announce/2022/09/msg00010.html

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes