CVE-2016-4658 – nokogiri

Package

Manager: gem
Name: nokogiri
Vulnerable Version: >=0 <1.7.1

Severity

Level: Critical

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.19344 pctl0.9515

Details

Nokogiri does not forbid namespace nodes in XPointer ranges xpointer.c in libxml2 before 2.9.5 (as used in nokogiri before 1.7.1 amongst other products) does not forbid namespace nodes in XPointer ranges, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and memory corruption) via a crafted XML document.

Metadata

Created: 2018-08-21T19:03:26Z
Modified: 2022-04-26T18:24:04Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/08/GHSA-fr52-4hqw-p27f/GHSA-fr52-4hqw-p27f.json
CWE IDs: ["CWE-119"]
Alternative ID: GHSA-fr52-4hqw-p27f
Finding: F316
Auto approve: 1