logo

Database

Out-of-bounds read In nokogiri

Description

Out-of-bounds Write in zlib affects Nokogiri

Summary

Nokogiri v1.13.4 updates the vendored zlib from 1.2.11 to 1.2.12, which addresses CVE-2018-25032. That CVE is scored as CVSS 7.4 "High" on the NVD record as of 2022-04-05.

Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.13.4, and only if the packaged version of zlib is being used. Please see this document for a complete description of which platform gems vendor zlib. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's zlib release announcements.

Mitigation

Upgrade to Nokogiri >= v1.13.4.

Impact

CVE-2018-25032 in zlib

    Severity: High

    Type: CWE-787 Out of bounds write

    Description: zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. NVD-2018-250322. GHSA-v6gp-9mmm-c6p53. GHSA-jc36-42cf-vqwj4. GCVE-GHSA-v6gp-9mmm-c6p5

References

1. https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v6gp-9mmm-c6p52. https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.43. https://groups.google.com/g/ruby-security-ann/c/vX7qSjsvWis/m/TJWN4oOKBwAJ?utm_medium=email&utm_source=footer

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.

FLAT-WAS1G – Vulnerability | Fluid Attacks Database