logo

Database

Asymmetric denial of service - ReDoS In ruby-nokogiri

Description

Nokogiri is an open source XML and HTML library for Ruby. Nokogiri < v1.13.4 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Users are advised to upgrade to Nokogiri >= 1.13.4. There are no known workarounds for this issue.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2022-248362. NVD-2022-248363. OSV-DEBIAN-2022-248364. OSV-2022-248365. GHSA-crjr-9rc5-ghw86. GCVE-2022-248367. SECURITY-TRACKER-CVE-2022-248368. lists.debian.org9. lists.debian.org10. security.gentoo.org

References

1. https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-crjr-9rc5-ghw82. https://github.com/sparklemotion/nokogiri/commit/e444525ef1634b675cd1cf52d39f4320ef0aecfd3. https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2022-24836.yml4. https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.45. https://groups.google.com/g/ruby-security-ann/c/vX7qSjsvWis/m/TJWN4oOKBwAJ?utm_medium=email&utm_source=footer6. https://lists.fedoraproject.org/archives/list/[email protected]/message/6DHCOWMA5PQTIQIMDENA7R2Y5BDYAIYM7. https://lists.fedoraproject.org/archives/list/[email protected]/message/OUPLBUZVM4WPFSXBEP2JS3R6LMKRTLFC8. https://lists.fedoraproject.org/archives/list/[email protected]/message/XMDCWRQXJQ3TFSETPCEFMQ6RR6ME5UA39. https://support.apple.com/kb/HT21353210. http://seclists.org/fulldisclosure/2022/Dec/23

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.