CVE-2022-23476 - Vulnerability Details

Vendors	Products
Nokogiri	Nokogiri

Link	Providers
https://github.com/sparklemotion/nokogiri/commit/85410e38410f670cbbc8c5b00d07b843caee88ce
https://github.com/sparklemotion/nokogiri/commit/9fe0761c47c0d4270d1a5220cfd25de080350d50
https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-qv4q-mr5r-qprj
https://nvd.nist.gov/vuln/detail/CVE-2022-23476
https://www.cve.org/CVERecord?id=CVE-2022-23476

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Show plain JSON

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-23476", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", "dateReserved": "2022-01-19T21:23:53.758Z", "datePublished": "2022-12-08T03:03:24.572Z", "dateUpdated": "2025-04-23T16:31:18.189Z"}, "containers": {"cna": {"title": "Unchecked return value from xmlTextReaderExpand in Nokogiri", "problemTypes": [{"descriptions": [{"cweId": "CWE-252", "lang": "en", "description": "CWE-252: Unchecked Return Value", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-476", "lang": "en", "description": "CWE-476: NULL Pointer Dereference", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-qv4q-mr5r-qprj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-qv4q-mr5r-qprj"}, {"name": "https://github.com/sparklemotion/nokogiri/commit/85410e38410f670cbbc8c5b00d07b843caee88ce", "tags": ["x_refsource_MISC"], "url": "https://github.com/sparklemotion/nokogiri/commit/85410e38410f670cbbc8c5b00d07b843caee88ce"}, {"name": "https://github.com/sparklemotion/nokogiri/commit/9fe0761c47c0d4270d1a5220cfd25de080350d50", "tags": ["x_refsource_MISC"], "url": "https://github.com/sparklemotion/nokogiri/commit/9fe0761c47c0d4270d1a5220cfd25de080350d50"}], "affected": [{"vendor": "sparklemotion", "product": "nokogiri", "versions": [{"version": ">= 1.13.8, < 1.13.10", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-12-08T03:03:24.572Z"}, "descriptions": [{"lang": "en", "value": "Nokogiri is an open source XML and HTML library for the Ruby programming language. Nokogiri `1.13.8` and `1.13.9` fail to check the return value from `xmlTextReaderExpand` in the method `Nokogiri::XML::Reader#attribute_hash`. This can lead to a null pointer exception when invalid markup is being parsed. For applications using `XML::Reader` to parse untrusted inputs, this may potentially be a vector for a denial of service attack. Users are advised to upgrade to Nokogiri `>= 1.13.10`. Users may be able to search their code for calls to either `XML::Reader#attributes` or `XML::Reader#attribute_hash` to determine if they are affected."}], "source": {"advisory": "GHSA-qv4q-mr5r-qprj", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T03:43:46.006Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-qv4q-mr5r-qprj", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-qv4q-mr5r-qprj"}, {"name": "https://github.com/sparklemotion/nokogiri/commit/85410e38410f670cbbc8c5b00d07b843caee88ce", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/sparklemotion/nokogiri/commit/85410e38410f670cbbc8c5b00d07b843caee88ce"}, {"name": "https://github.com/sparklemotion/nokogiri/commit/9fe0761c47c0d4270d1a5220cfd25de080350d50", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/sparklemotion/nokogiri/commit/9fe0761c47c0d4270d1a5220cfd25de080350d50"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-23T15:48:08.798198Z", "id": "CVE-2022-23476", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-23T16:31:18.189Z"}}]}}

{

dataType : CVE_RECORD (string)

dataVersion : 5.1 (string)

cveMetadata : { »

cveId : CVE-2022-23476 (string)

assignerOrgId : a0819718-46f1-4df5-94e2-005712e83aaa (string)

state : PUBLISHED (string)

assignerShortName : GitHub_M (string)

requesterUserId : c184a3d9-dc98-4c48-a45b-d2d88cf0ac74 (string)

dateReserved : 2022-01-19T21:23:53.758Z (string)

datePublished : 2022-12-08T03:03:24.572Z (string)

dateUpdated : 2025-04-23T16:31:18.189Z (string)

}

containers : { »

cna : { »

title : Unchecked return value from xmlTextReaderExpand in Nokogiri (string)

problemTypes : [ »

0 : { »

descriptions : [ »

0 : { »

cweId : CWE-252 (string)

lang : en (string)

description : CWE-252: Unchecked Return Value (string)

type : CWE (string)

}

]

}

1 : { »

descriptions : [ »

0 : { »

cweId : CWE-476 (string)

lang : en (string)

description : CWE-476: NULL Pointer Dereference (string)

type : CWE (string)

}

]

}

]

metrics : [ »

0 : { »

cvssV3_1 : { »

attackComplexity : LOW (string)

attackVector : NETWORK (string)

availabilityImpact : HIGH (string)

baseScore : 7.5 (number)

baseSeverity : HIGH (string)

confidentialityImpact : NONE (string)

integrityImpact : NONE (string)

privilegesRequired : NONE (string)

scope : UNCHANGED (string)

userInteraction : NONE (string)

vectorString : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (string)

version : 3.1 (string)

}

]

references : [ »

0 : { »

name : https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-qv4q-mr5r-qprj (string)

tags : [ »

0 : x_refsource_CONFIRM (string)

]

url : https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-qv4q-mr5r-qprj (string)

}

1 : { »

name : https://github.com/sparklemotion/nokogiri/commit/85410e38410f670cbbc8c5b00d07b843caee88ce (string)

tags : [ »

0 : x_refsource_MISC (string)

]

url : https://github.com/sparklemotion/nokogiri/commit/85410e38410f670cbbc8c5b00d07b843caee88ce (string)

}

2 : { »

name : https://github.com/sparklemotion/nokogiri/commit/9fe0761c47c0d4270d1a5220cfd25de080350d50 (string)

tags : [ »

0 : x_refsource_MISC (string)

]

url : https://github.com/sparklemotion/nokogiri/commit/9fe0761c47c0d4270d1a5220cfd25de080350d50 (string)

}

]

affected : [ »

0 : { »

vendor : sparklemotion (string)

product : nokogiri (string)

versions : [ »

0 : { »

version : >= 1.13.8, < 1.13.10 (string)

status : affected (string)

}

]

}

]

providerMetadata : { »

orgId : a0819718-46f1-4df5-94e2-005712e83aaa (string)

shortName : GitHub_M (string)

dateUpdated : 2022-12-08T03:03:24.572Z (string)

}

descriptions : [ »

0 : { »

lang : en (string)

value : Nokogiri is an open source XML and HTML library for the Ruby programming language. Nokogiri `1.13.8` and `1.13.9` fail to check the return value from `xmlTextReaderExpand` in the method `Nokogiri::XML::Reader#attribute_hash`. This can lead to a null pointer exception when invalid markup is being parsed. For applications using `XML::Reader` to parse untrusted inputs, this may potentially be a vector for a denial of service attack. Users are advised to upgrade to Nokogiri `>= 1.13.10`. Users may be able to search their code for calls to either `XML::Reader#attributes` or `XML::Reader#attribute_hash` to determine if they are affected. (string)

}

]

source : { »

advisory : GHSA-qv4q-mr5r-qprj (string)

discovery : UNKNOWN (string)

}

adp : [ »

0 : { »

providerMetadata : { »

orgId : af854a3a-2127-422b-91ae-364da2661108 (string)

shortName : CVE (string)

dateUpdated : 2024-08-03T03:43:46.006Z (string)

}

title : CVE Program Container (string)

references : [ »

0 : { »

name : https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-qv4q-mr5r-qprj (string)

tags : [ »

0 : x_refsource_CONFIRM (string)

1 : x_transferred (string)

]

url : https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-qv4q-mr5r-qprj (string)

}

1 : { »

name : https://github.com/sparklemotion/nokogiri/commit/85410e38410f670cbbc8c5b00d07b843caee88ce (string)

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : https://github.com/sparklemotion/nokogiri/commit/85410e38410f670cbbc8c5b00d07b843caee88ce (string)

}

2 : { »

name : https://github.com/sparklemotion/nokogiri/commit/9fe0761c47c0d4270d1a5220cfd25de080350d50 (string)

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : https://github.com/sparklemotion/nokogiri/commit/9fe0761c47c0d4270d1a5220cfd25de080350d50 (string)

}

]

}

1 : { »

metrics : [ »

0 : { »

other : { »

type : ssvc (string)

content : { »

timestamp : 2025-04-23T15:48:08.798198Z (string)

id : CVE-2022-23476 (string)

options : [ »

0 : { »

Exploitation : none (string)

}

1 : { »

Automatable : yes (string)

}

2 : { »

Technical Impact : partial (string)

}

]

role : CISA Coordinator (string)

version : 2.0.3 (string)

}

]

title : CISA ADP Vulnrichment (string)

providerMetadata : { »

orgId : 134c704f-9b21-4f2e-91b3-4a467353bcc0 (string)

shortName : CISA-ADP (string)

dateUpdated : 2025-04-23T16:31:18.189Z (string)

}

]

}

Show plain JSON

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-23476", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", "dateReserved": "2022-01-19T21:23:53.758Z", "datePublished": "2022-12-08T03:03:24.572Z", "dateUpdated": "2025-04-23T16:31:18.189Z"}, "containers": {"cna": {"title": "Unchecked return value from xmlTextReaderExpand in Nokogiri", "problemTypes": [{"descriptions": [{"cweId": "CWE-252", "lang": "en", "description": "CWE-252: Unchecked Return Value", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-476", "lang": "en", "description": "CWE-476: NULL Pointer Dereference", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-qv4q-mr5r-qprj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-qv4q-mr5r-qprj"}, {"name": "https://github.com/sparklemotion/nokogiri/commit/85410e38410f670cbbc8c5b00d07b843caee88ce", "tags": ["x_refsource_MISC"], "url": "https://github.com/sparklemotion/nokogiri/commit/85410e38410f670cbbc8c5b00d07b843caee88ce"}, {"name": "https://github.com/sparklemotion/nokogiri/commit/9fe0761c47c0d4270d1a5220cfd25de080350d50", "tags": ["x_refsource_MISC"], "url": "https://github.com/sparklemotion/nokogiri/commit/9fe0761c47c0d4270d1a5220cfd25de080350d50"}], "affected": [{"vendor": "sparklemotion", "product": "nokogiri", "versions": [{"version": ">= 1.13.8, < 1.13.10", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-12-08T03:03:24.572Z"}, "descriptions": [{"lang": "en", "value": "Nokogiri is an open source XML and HTML library for the Ruby programming language. Nokogiri `1.13.8` and `1.13.9` fail to check the return value from `xmlTextReaderExpand` in the method `Nokogiri::XML::Reader#attribute_hash`. This can lead to a null pointer exception when invalid markup is being parsed. For applications using `XML::Reader` to parse untrusted inputs, this may potentially be a vector for a denial of service attack. Users are advised to upgrade to Nokogiri `>= 1.13.10`. Users may be able to search their code for calls to either `XML::Reader#attributes` or `XML::Reader#attribute_hash` to determine if they are affected."}], "source": {"advisory": "GHSA-qv4q-mr5r-qprj", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T03:43:46.006Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-qv4q-mr5r-qprj", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-qv4q-mr5r-qprj"}, {"name": "https://github.com/sparklemotion/nokogiri/commit/85410e38410f670cbbc8c5b00d07b843caee88ce", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/sparklemotion/nokogiri/commit/85410e38410f670cbbc8c5b00d07b843caee88ce"}, {"name": "https://github.com/sparklemotion/nokogiri/commit/9fe0761c47c0d4270d1a5220cfd25de080350d50", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/sparklemotion/nokogiri/commit/9fe0761c47c0d4270d1a5220cfd25de080350d50"}]}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-23476", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-23T15:48:08.798198Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-23T15:48:10.775Z"}}]}}

{

dataType : CVE_RECORD (string)

dataVersion : 5.1 (string)

cveMetadata : { »

cveId : CVE-2022-23476 (string)

assignerOrgId : a0819718-46f1-4df5-94e2-005712e83aaa (string)

state : PUBLISHED (string)

assignerShortName : GitHub_M (string)

requesterUserId : c184a3d9-dc98-4c48-a45b-d2d88cf0ac74 (string)

dateReserved : 2022-01-19T21:23:53.758Z (string)

datePublished : 2022-12-08T03:03:24.572Z (string)

dateUpdated : 2025-04-23T16:31:18.189Z (string)

}

containers : { »

cna : { »

title : Unchecked return value from xmlTextReaderExpand in Nokogiri (string)

problemTypes : [ »

0 : { »

descriptions : [ »

0 : { »

cweId : CWE-252 (string)

lang : en (string)

description : CWE-252: Unchecked Return Value (string)

type : CWE (string)

}

]

}

1 : { »

descriptions : [ »

0 : { »

cweId : CWE-476 (string)

lang : en (string)

description : CWE-476: NULL Pointer Dereference (string)

type : CWE (string)

}

]

}

]

metrics : [ »

0 : { »

cvssV3_1 : { »

attackComplexity : LOW (string)

attackVector : NETWORK (string)

availabilityImpact : HIGH (string)

baseScore : 7.5 (number)

baseSeverity : HIGH (string)

confidentialityImpact : NONE (string)

integrityImpact : NONE (string)

privilegesRequired : NONE (string)

scope : UNCHANGED (string)

userInteraction : NONE (string)

vectorString : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (string)

version : 3.1 (string)

}

]

references : [ »

0 : { »

name : https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-qv4q-mr5r-qprj (string)

tags : [ »

0 : x_refsource_CONFIRM (string)

]

url : https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-qv4q-mr5r-qprj (string)

}

1 : { »

name : https://github.com/sparklemotion/nokogiri/commit/85410e38410f670cbbc8c5b00d07b843caee88ce (string)

tags : [ »

0 : x_refsource_MISC (string)

]

url : https://github.com/sparklemotion/nokogiri/commit/85410e38410f670cbbc8c5b00d07b843caee88ce (string)

}

2 : { »

name : https://github.com/sparklemotion/nokogiri/commit/9fe0761c47c0d4270d1a5220cfd25de080350d50 (string)

tags : [ »

0 : x_refsource_MISC (string)

]

url : https://github.com/sparklemotion/nokogiri/commit/9fe0761c47c0d4270d1a5220cfd25de080350d50 (string)

}

]

affected : [ »

0 : { »

vendor : sparklemotion (string)

product : nokogiri (string)

versions : [ »

0 : { »

version : >= 1.13.8, < 1.13.10 (string)

status : affected (string)

}

]

}

]

providerMetadata : { »

orgId : a0819718-46f1-4df5-94e2-005712e83aaa (string)

shortName : GitHub_M (string)

dateUpdated : 2022-12-08T03:03:24.572Z (string)

}

descriptions : [ »

0 : { »

lang : en (string)

value : Nokogiri is an open source XML and HTML library for the Ruby programming language. Nokogiri `1.13.8` and `1.13.9` fail to check the return value from `xmlTextReaderExpand` in the method `Nokogiri::XML::Reader#attribute_hash`. This can lead to a null pointer exception when invalid markup is being parsed. For applications using `XML::Reader` to parse untrusted inputs, this may potentially be a vector for a denial of service attack. Users are advised to upgrade to Nokogiri `>= 1.13.10`. Users may be able to search their code for calls to either `XML::Reader#attributes` or `XML::Reader#attribute_hash` to determine if they are affected. (string)

}

]

source : { »

advisory : GHSA-qv4q-mr5r-qprj (string)

discovery : UNKNOWN (string)

}

adp : [ »

0 : { »

providerMetadata : { »

orgId : af854a3a-2127-422b-91ae-364da2661108 (string)

shortName : CVE (string)

dateUpdated : 2024-08-03T03:43:46.006Z (string)

}

title : CVE Program Container (string)

references : [ »

0 : { »

name : https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-qv4q-mr5r-qprj (string)

tags : [ »

0 : x_refsource_CONFIRM (string)

1 : x_transferred (string)

]

url : https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-qv4q-mr5r-qprj (string)

}

1 : { »

name : https://github.com/sparklemotion/nokogiri/commit/85410e38410f670cbbc8c5b00d07b843caee88ce (string)

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : https://github.com/sparklemotion/nokogiri/commit/85410e38410f670cbbc8c5b00d07b843caee88ce (string)

}

2 : { »

name : https://github.com/sparklemotion/nokogiri/commit/9fe0761c47c0d4270d1a5220cfd25de080350d50 (string)

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : https://github.com/sparklemotion/nokogiri/commit/9fe0761c47c0d4270d1a5220cfd25de080350d50 (string)

}

]

}

1 : { »

title : CISA ADP Vulnrichment (string)

metrics : [ »

0 : { »

other : { »

type : ssvc (string)

content : { »

id : CVE-2022-23476 (string)

role : CISA Coordinator (string)

options : [ »

0 : { »

Exploitation : none (string)

}

1 : { »

Automatable : yes (string)

}

2 : { »

Technical Impact : partial (string)

}

]

version : 2.0.3 (string)

timestamp : 2025-04-23T15:48:08.798198Z (string)

}

]

providerMetadata : { »

orgId : 134c704f-9b21-4f2e-91b3-4a467353bcc0 (string)

shortName : CISA-ADP (string)

dateUpdated : 2025-04-23T15:48:10.775Z (string)

}

]

}

Show plain JSON

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nokogiri:nokogiri:1.13.8:*:*:*:*:ruby:*:*", "matchCriteriaId": "5B720209-2ADC-4B12-8BEE-D5F827279B06", "vulnerable": true}, {"criteria": "cpe:2.3:a:nokogiri:nokogiri:1.13.9:*:*:*:*:ruby:*:*", "matchCriteriaId": "AA8BBC8F-F780-4359-81CA-EBB3A5767FB5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Nokogiri is an open source XML and HTML library for the Ruby programming language. Nokogiri `1.13.8` and `1.13.9` fail to check the return value from `xmlTextReaderExpand` in the method `Nokogiri::XML::Reader#attribute_hash`. This can lead to a null pointer exception when invalid markup is being parsed. For applications using `XML::Reader` to parse untrusted inputs, this may potentially be a vector for a denial of service attack. Users are advised to upgrade to Nokogiri `>= 1.13.10`. Users may be able to search their code for calls to either `XML::Reader#attributes` or `XML::Reader#attribute_hash` to determine if they are affected."}, {"lang": "es", "value": "Nokogiri es una librer\u00eda XML y HTML de c\u00f3digo abierto para el lenguaje de programaci\u00f3n Ruby. Nokogiri `1.13.8` y `1.13.9` no pueden verificar el valor de retorno de `xmlTextReaderExpand` en el m\u00e9todo `Nokogiri::XML::Reader#attribute_hash`. Esto puede provocar una excepci\u00f3n de puntero null cuando se analiza un marcado no v\u00e1lido. Para las aplicaciones que utilizan `XML::Reader` para analizar entradas que no son de confianza, esto puede ser potencialmente un vector para un ataque de Denegaci\u00f3n de Servicio (DoS). Se recomienda a los usuarios actualizar a Nokogiri `&gt;= 1.13.10`. Los usuarios pueden buscar en su c\u00f3digo llamadas a `XML::Reader#attributes` o `XML::Reader#attribute_hash` para determinar si est\u00e1n afectados."}], "id": "CVE-2022-23476", "lastModified": "2024-11-21T06:48:38.397", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-12-08T04:15:09.043", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/sparklemotion/nokogiri/commit/85410e38410f670cbbc8c5b00d07b843caee88ce"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/sparklemotion/nokogiri/commit/9fe0761c47c0d4270d1a5220cfd25de080350d50"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-qv4q-mr5r-qprj"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/sparklemotion/nokogiri/commit/85410e38410f670cbbc8c5b00d07b843caee88ce"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/sparklemotion/nokogiri/commit/9fe0761c47c0d4270d1a5220cfd25de080350d50"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-qv4q-mr5r-qprj"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-252"}, {"lang": "en", "value": "CWE-476"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{

configurations : [ »

0 : { »

nodes : [ »

0 : { »

cpeMatch : [ »

0 : { »

criteria : cpe:2.3:a:nokogiri:nokogiri:1.13.8:*:*:*:*:ruby:*:* (string)

matchCriteriaId : 5B720209-2ADC-4B12-8BEE-D5F827279B06 (string)

vulnerable : true (boolean)

}

1 : { »

criteria : cpe:2.3:a:nokogiri:nokogiri:1.13.9:*:*:*:*:ruby:*:* (string)

matchCriteriaId : AA8BBC8F-F780-4359-81CA-EBB3A5767FB5 (string)

vulnerable : true (boolean)

}

]

negate : false (boolean)

operator : OR (string)

}

]

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : Nokogiri is an open source XML and HTML library for the Ruby programming language. Nokogiri `1.13.8` and `1.13.9` fail to check the return value from `xmlTextReaderExpand` in the method `Nokogiri::XML::Reader#attribute_hash`. This can lead to a null pointer exception when invalid markup is being parsed. For applications using `XML::Reader` to parse untrusted inputs, this may potentially be a vector for a denial of service attack. Users are advised to upgrade to Nokogiri `>= 1.13.10`. Users may be able to search their code for calls to either `XML::Reader#attributes` or `XML::Reader#attribute_hash` to determine if they are affected. (string)

}

1 : { »

lang : es (string)

value : Nokogiri es una librería XML y HTML de código abierto para el lenguaje de programación Ruby. Nokogiri `1.13.8` y `1.13.9` no pueden verificar el valor de retorno de `xmlTextReaderExpand` en el método `Nokogiri::XML::Reader#attribute_hash`. Esto puede provocar una excepción de puntero null cuando se analiza un marcado no válido. Para las aplicaciones que utilizan `XML::Reader` para analizar entradas que no son de confianza, esto puede ser potencialmente un vector para un ataque de Denegación de Servicio (DoS). Se recomienda a los usuarios actualizar a Nokogiri `>= 1.13.10`. Los usuarios pueden buscar en su código llamadas a `XML::Reader#attributes` o `XML::Reader#attribute_hash` para determinar si están afectados. (string)

}

]

id : CVE-2022-23476 (string)

lastModified : 2024-11-21T06:48:38.397 (string)

metrics : { »

cvssMetricV31 : [ »

0 : { »

cvssData : { »

attackComplexity : LOW (string)

attackVector : NETWORK (string)

availabilityImpact : HIGH (string)

baseScore : 7.5 (number)

baseSeverity : HIGH (string)

confidentialityImpact : NONE (string)

integrityImpact : NONE (string)

privilegesRequired : NONE (string)

scope : UNCHANGED (string)

userInteraction : NONE (string)

vectorString : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (string)

version : 3.1 (string)

}

exploitabilityScore : 3.9 (number)

impactScore : 3.6 (number)

source : security-advisories@github.com (string)

type : Secondary (string)

}

1 : { »

cvssData : { »

attackComplexity : LOW (string)

attackVector : NETWORK (string)

availabilityImpact : HIGH (string)

baseScore : 7.5 (number)

baseSeverity : HIGH (string)

confidentialityImpact : NONE (string)

integrityImpact : NONE (string)

privilegesRequired : NONE (string)

scope : UNCHANGED (string)

userInteraction : NONE (string)

vectorString : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (string)

version : 3.1 (string)

}

exploitabilityScore : 3.9 (number)

impactScore : 3.6 (number)

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

published : 2022-12-08T04:15:09.043 (string)

references : [ »

0 : { »

source : security-advisories@github.com (string)

tags : [ »

0 : Patch (string)

1 : Third Party Advisory (string)

]

url : https://github.com/sparklemotion/nokogiri/commit/85410e38410f670cbbc8c5b00d07b843caee88ce (string)

}

1 : { »

source : security-advisories@github.com (string)

tags : [ »

0 : Patch (string)

1 : Third Party Advisory (string)

]

url : https://github.com/sparklemotion/nokogiri/commit/9fe0761c47c0d4270d1a5220cfd25de080350d50 (string)

}

2 : { »

source : security-advisories@github.com (string)

tags : [ »

0 : Third Party Advisory (string)

]

url : https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-qv4q-mr5r-qprj (string)

}

3 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Patch (string)

1 : Third Party Advisory (string)

]

url : https://github.com/sparklemotion/nokogiri/commit/85410e38410f670cbbc8c5b00d07b843caee88ce (string)

}

4 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Patch (string)

1 : Third Party Advisory (string)

]

url : https://github.com/sparklemotion/nokogiri/commit/9fe0761c47c0d4270d1a5220cfd25de080350d50 (string)

}

5 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Third Party Advisory (string)

]

url : https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-qv4q-mr5r-qprj (string)

}

]

sourceIdentifier : security-advisories@github.com (string)

vulnStatus : Modified (string)

weaknesses : [ »

0 : { »

description : [ »

0 : { »

lang : en (string)

value : CWE-252 (string)

}

1 : { »

lang : en (string)

value : CWE-476 (string)

}

]

source : security-advisories@github.com (string)

type : Secondary (string)

}

]

}

Show plain JSON

{"bugzilla": {"description": "rubygem-nokogiri: Denial of service", "id": "2153279", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2153279"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "(CWE-252|CWE-476)", "details": ["Nokogiri is an open source XML and HTML library for the Ruby programming language. Nokogiri `1.13.8` and `1.13.9` fail to check the return value from `xmlTextReaderExpand` in the method `Nokogiri::XML::Reader#attribute_hash`. This can lead to a null pointer exception when invalid markup is being parsed. For applications using `XML::Reader` to parse untrusted inputs, this may potentially be a vector for a denial of service attack. Users are advised to upgrade to Nokogiri `>= 1.13.10`. Users may be able to search their code for calls to either `XML::Reader#attributes` or `XML::Reader#attribute_hash` to determine if they are affected.", "A denial of service flaw was found in rubygem-nokogiri. When parsing invalid markup, a NULL pointer exception may occur, which is a potential vector for a denial of service attack."], "name": "CVE-2022-23476", "package_state": [{"cpe": "cpe:/a:redhat:cloudforms_managementengine:5", "fix_state": "Not affected", "package_name": "rubygem-nokogiri", "product_name": "CloudForms Management Engine 5"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Not affected", "package_name": "3scale-amp-backend-container", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Not affected", "package_name": "3scale-amp-zync-container", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Not affected", "package_name": "3scale-toolbox-container", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:6", "fix_state": "Affected", "package_name": "rocksdb", "product_name": "Red Hat Ceph Storage 6"}, {"cpe": "cpe:/a:redhat:ceph_storage:7", "fix_state": "Affected", "package_name": "rocksdb", "product_name": "Red Hat Ceph Storage 7"}, {"cpe": "cpe:/a:redhat:ceph_storage:8", "fix_state": "Affected", "package_name": "rocksdb", "product_name": "Red Hat Ceph Storage 8"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "satellite-capsule:el8/rubygem-nokogiri", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "satellite:el8/rubygem-amazing_print", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "satellite:el8/rubygem-nokogiri", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "satellite-utils:el8/rubygem-amazing_print", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "tfm-ror51-rubygem-nokogiri", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "tfm-ror52-rubygem-nokogiri", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "tfm-rubygem-amazing_print", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "tfm-rubygem-nokogiri", "product_name": "Red Hat Satellite 6"}], "public_date": "2022-12-08T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-23476\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-23476\nhttps://github.com/sparklemotion/nokogiri/security/advisories/GHSA-qv4q-mr5r-qprj"], "threat_severity": "Moderate"}

{

bugzilla : { »

description : rubygem-nokogiri: Denial of service (string)

id : 2153279 (string)

url : https://bugzilla.redhat.com/show_bug.cgi?id=2153279 (string)

}

csaw : false (boolean)

cvss3 : { »

cvss3_base_score : 7.5 (string)

cvss3_scoring_vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (string)

status : draft (string)

}

cwe : (CWE-252|CWE-476) (string)

details : [ »

0 : Nokogiri is an open source XML and HTML library for the Ruby programming language. Nokogiri `1.13.8` and `1.13.9` fail to check the return value from `xmlTextReaderExpand` in the method `Nokogiri::XML::Reader#attribute_hash`. This can lead to a null pointer exception when invalid markup is being parsed. For applications using `XML::Reader` to parse untrusted inputs, this may potentially be a vector for a denial of service attack. Users are advised to upgrade to Nokogiri `>= 1.13.10`. Users may be able to search their code for calls to either `XML::Reader#attributes` or `XML::Reader#attribute_hash` to determine if they are affected. (string)

1 : A denial of service flaw was found in rubygem-nokogiri. When parsing invalid markup, a NULL pointer exception may occur, which is a potential vector for a denial of service attack. (string)

]

name : CVE-2022-23476 (string)

package_state : [ »

0 : { »

cpe : cpe:/a:redhat:cloudforms_managementengine:5 (string)

fix_state : Not affected (string)

package_name : rubygem-nokogiri (string)

product_name : CloudForms Management Engine 5 (string)

}

1 : { »

cpe : cpe:/a:redhat:red_hat_3scale_amp:2 (string)

fix_state : Not affected (string)

package_name : 3scale-amp-backend-container (string)

product_name : Red Hat 3scale API Management Platform 2 (string)

}

2 : { »

cpe : cpe:/a:redhat:red_hat_3scale_amp:2 (string)

fix_state : Not affected (string)

package_name : 3scale-amp-zync-container (string)

product_name : Red Hat 3scale API Management Platform 2 (string)

}

3 : { »

cpe : cpe:/a:redhat:red_hat_3scale_amp:2 (string)

fix_state : Not affected (string)

package_name : 3scale-toolbox-container (string)

product_name : Red Hat 3scale API Management Platform 2 (string)

}

4 : { »

cpe : cpe:/a:redhat:ceph_storage:6 (string)

fix_state : Affected (string)

package_name : rocksdb (string)

product_name : Red Hat Ceph Storage 6 (string)

}

5 : { »

cpe : cpe:/a:redhat:ceph_storage:7 (string)

fix_state : Affected (string)

package_name : rocksdb (string)

product_name : Red Hat Ceph Storage 7 (string)

}

6 : { »

cpe : cpe:/a:redhat:ceph_storage:8 (string)

fix_state : Affected (string)

package_name : rocksdb (string)

product_name : Red Hat Ceph Storage 8 (string)

}

7 : { »

cpe : cpe:/a:redhat:satellite:6 (string)

fix_state : Not affected (string)

package_name : satellite-capsule:el8/rubygem-nokogiri (string)

product_name : Red Hat Satellite 6 (string)

}

8 : { »

cpe : cpe:/a:redhat:satellite:6 (string)

fix_state : Not affected (string)

package_name : satellite:el8/rubygem-amazing_print (string)

product_name : Red Hat Satellite 6 (string)

}

9 : { »

cpe : cpe:/a:redhat:satellite:6 (string)

fix_state : Not affected (string)

package_name : satellite:el8/rubygem-nokogiri (string)

product_name : Red Hat Satellite 6 (string)

}

10 : { »

cpe : cpe:/a:redhat:satellite:6 (string)

fix_state : Not affected (string)

package_name : satellite-utils:el8/rubygem-amazing_print (string)

product_name : Red Hat Satellite 6 (string)

}

11 : { »

cpe : cpe:/a:redhat:satellite:6 (string)

fix_state : Not affected (string)

package_name : tfm-ror51-rubygem-nokogiri (string)

product_name : Red Hat Satellite 6 (string)

}

12 : { »

cpe : cpe:/a:redhat:satellite:6 (string)

fix_state : Not affected (string)

package_name : tfm-ror52-rubygem-nokogiri (string)

product_name : Red Hat Satellite 6 (string)

}

13 : { »

cpe : cpe:/a:redhat:satellite:6 (string)

fix_state : Not affected (string)

package_name : tfm-rubygem-amazing_print (string)

product_name : Red Hat Satellite 6 (string)

}

14 : { »

cpe : cpe:/a:redhat:satellite:6 (string)

fix_state : Not affected (string)

package_name : tfm-rubygem-nokogiri (string)

product_name : Red Hat Satellite 6 (string)

}

]

public_date : 2022-12-08T00:00:00Z (string)

references : [ »

0 : https://www.cve.org/CVERecord?id=CVE-2022-23476 https://nvd.nist.gov/vuln/detail/CVE-2022-23476 https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-qv4q-mr5r-qprj (string)

]

threat_severity : Moderate (string)

}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object