Mageia 7 Advisory MGASA-2021-0063: Moderate Ruby-Nokogiri Command Risk
mageia
February 4, 2021
A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby's `Kernel.open` method
Summary
A command injection vulnerability in Nokogiri v1.10.3 and earlier allows
commands to be executed in a subprocess via Ruby's `Kernel.open` method.
Processes are vulnerable only if the undocumented method
`Nokogiri::CSS::Tokenizer#load_file` is being called with unsafe user input as
the filename (CVE-2019-5477).
In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML
Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing
external resources to be accessed over the network, potentially enabling XXE or
SSRF attacks. This behavior is counter to the security policy followed by
Nokogiri maintainers, which is to treat all input as untrusted by default
whenever possible (CVE-2020-26247).
The ruby-nokogiri package has been updated to version 1.10.10 to fix
CVE-2019-5477 and patched to fix CVE-2020-26247.
References
- https://bugs.mageia.org/show_bug.cgi?id=28141
- https://github.com/sparklemotion/nokogiri/releases/
- https://lists.suse.com/pipermail/sle-security-updates/2021-January/008244.html
- https://www.cve.org/CVERecord?id=CVE-2019-5477
- https://www.cve.org/CVERecord?id=CVE-2020-26247
Resolution
SRPMS
- 7/core/ruby-nokogiri-1.10.10-1.mga7
PREVIOUS
NEXT
Publication date: 04 Feb 2021
URL: https://advisories.mageia.org/MGASA-2021-0063.html
Type: security
CVE: CVE-2019-5477,
CVE-2020-26247
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!