CVE-2018-14404 — Nokogiri NULL Pointer Dereference

Description

A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case. Applications processing untrusted XSL format inputs with the use of the libxml2 library may be vulnerable to a denial of service attack due to a crash of the application.

How to fix CVE-2018-14404

To remediate CVE-2018-14404, upgrade the affected package to a fixed version below.

—upgrade to 2.9.8-r1 or later
—upgrade to 2.9.10+dfsg-2 or later
—upgrade to 1.8.5 or later

Is CVE-2018-14404 being exploited?

Moderate — EPSS is 20.0%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (3)

from 0, < 2.9.8-r1
from 0, < 2.9.10+dfsg-2
from 0, < 1.8.5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (14)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-14404
ADVISORYsecurity.alpinelinux.org/vuln/CVE-2018-14404
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2018-14404
WEBaccess.redhat.com/errata/RHSA-2019:1543
WEB