CVE-2022-23476

Description

Nokogiri is an open source XML and HTML library for the Ruby programming language. Nokogiri `1.13.8` and `1.13.9` fail to check the return value from `xmlTextReaderExpand` in the method `Nokogiri::XML::Reader#attribute_hash`. This can lead to a null pointer exception when invalid markup is being parsed. For applications using `XML::Reader` to parse untrusted inputs, this may potentially be a vector for a denial of service attack. Users are advised to upgrade to Nokogiri `>= 1.13.10`. Users may be able to search their code for calls to either `XML::Reader#attributes` or `XML::Reader#attribute_hash` to determine if they are affected.

How to fix CVE-2022-23476

To remediate CVE-2022-23476, upgrade the affected package to a fixed version below.

• —upgrade to 1.13.10+dfsg-1 or later
• —upgrade to 1.13.10 or later

Is CVE-2022-23476 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

• from 0, < 1.13.10+dfsg-1
• >= 1.13.8, < 1.13.10

CVSS scores

References (7)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-23476
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2022-23476
• PATCHgithub.com/sparklemotion/nokogiri
• WEBgithub.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2022-23476.yml