Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2019-5477 - Nokogiri Command Injection Vulnerability #1915

Closed
flavorjones opened this issue Jul 20, 2019 · 4 comments
Closed

CVE-2019-5477 - Nokogiri Command Injection Vulnerability #1915

flavorjones opened this issue Jul 20, 2019 · 4 comments

Comments

@flavorjones
Copy link
Member

@flavorjones flavorjones commented Jul 20, 2019

CVE-2019-5477 - Nokogiri Command Injection Vulnerability

This issue has been created for public disclosure of a Command Injection vulnerability that was responsibly reported by @kyoshidajp (Katsuhiko YOSHIDA).

I'd like to thank HackerOne for providing a secure, responsible mechanism for reporting, and for providing their fantastic service to the Nokogiri maintainers.

Severity

Nokogiri maintainers have evaluated this as High (CVSS3 8.1)

Description

A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess by Ruby's Kernel.open method. Processes are vulnerable only if the undocumented method Nokogiri::CSS::Tokenizer#load_file is being passed untrusted user input.

This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.

Affected Versions

Nokogiri < v1.10.4

Mitigation

Upgrade to Nokogiri v1.10.4, or avoid calling the undocumented method Nokogiri::CSS::Tokenizer#load_file with untrusted user input.

Further Mitigating Actions Taken

This vulnerability could have been easily detected using Rubocop's Security cop, and so the Security cop has been introduced into the test suite. If for any reason Rubocop flags something as "insecure" in the future, that will fail the test suite and block release.

References


History of this public disclosure

  • 2019-07-20T19:42+00:00: empty issue-of-record created, all information is embargoed
  • 2019-08-11T19:28+00:00: embargo ends, full information made available
@flavorjones
Copy link
Member Author

@flavorjones flavorjones commented Aug 10, 2019

Checklist:

  • push commits to v1.10.x branch
  • watch nokogiri-v1.10.x pipeline go green
  • release v1.10.4
  • update this issue with full details
  • apply those commits to master
@flavorjones flavorjones added this to the v1.10.x patch releases milestone Aug 10, 2019
flavorjones added a commit that referenced this issue Aug 11, 2019
related to #1915
flavorjones added a commit that referenced this issue Aug 11, 2019
which was raised by Rubocop's security filter

related to #1915
flavorjones added a commit that referenced this issue Aug 11, 2019
related to #1915
flavorjones added a commit that referenced this issue Aug 11, 2019
related to #1915
@flavorjones
Copy link
Member Author

@flavorjones flavorjones commented Aug 11, 2019

v1.10.4 has been released addressing this vulnerability.

flavorjones added a commit that referenced this issue Aug 11, 2019
related to #1915
flavorjones added a commit that referenced this issue Aug 11, 2019
which was raised by Rubocop's security filter

related to #1915
flavorjones added a commit that referenced this issue Aug 11, 2019
related to #1915
flavorjones added a commit that referenced this issue Aug 11, 2019
related to #1915
@flavorjones flavorjones changed the title [placeholder] embargoed security vulnerability CVE-2019-5477 - Nokogiri Command Injection Vulnerability Aug 11, 2019
va-bot added a commit to department-of-veterans-affairs/caseflow that referenced this issue Aug 13, 2019
`bundle exec rake security` alerted us to a vulnerability in the Nokogiri library we use for XML and HTML parsing. This PR updates the library to a version that is not vulnerable to the disclosed CVE as per the directions presented by the maintainers (sparklemotion/nokogiri#1915).

```bash
$> bundle exec rake security
...
Updated ruby-advisory-db
ruby-advisory-db: 384 advisories
Looking for ~/Projects/caseflow/.security.yml
bundle-audit check --ignore=
Name: nokogiri
Version: 1.10.3
Advisory: CVE-2019-5477
Criticality: Unknown
URL: sparklemotion/nokogiri#1915
Title: Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file
Solution: upgrade to >= 1.10.4

Vulnerabilities found!

Failed. Security vulnerabilities were found. Find the dependency in Gemfile.lock,
then specify a safe version of the dependency in the Gemfile (preferred) or
snooze the CVE in .security.yml for a week.
```
dentarg added a commit to twingly/feedbag.herokuapp.com that referenced this issue Aug 14, 2019
dentarg added a commit to twingly/feedjira.herokuapp.com that referenced this issue Aug 14, 2019
@greysteil
Copy link
Contributor

@greysteil greysteil commented Aug 15, 2019

@flavorjones thanks for all your work on this and everything else you do.

I'm on the security team at GitHub these days, and noticed that this didn't come through to our advisory curation team via the NVD feed, even though you've got a CVE for it. It looks like that's because the CVE has been assigned but not published.

Would you mind prodding HackerOne to mark this as published, now that it's been publicly disclosed? We're also planning to make it easy to get CVEs through GitHub itself and have the publishing process for them automated, so hopefully we can help more here in future.

phallstrom added a commit to railslink/railslink that referenced this issue Aug 15, 2019
phallstrom added a commit to railslink/railslink that referenced this issue Aug 15, 2019
phallstrom added a commit to railslink/railslink that referenced this issue Aug 15, 2019
@reedloden
Copy link

@reedloden reedloden commented Aug 15, 2019

@greysteil We (HackerOne) submitted it to MITRE for publication this morning (we normally only do this once a week, unless specifically asked to do it sooner). Once they process it, should be all live.

isay-sosa added a commit to isay-sosa/machetito that referenced this issue Aug 19, 2019
matthewoliver added a commit to matthewoliver/crowbar-core that referenced this issue Aug 29, 2019
A bunch of PRs in the crowbar-core are blocked due to a travis CI check:

  bundle-audit check --ignore ...

This is due to a security embargo that was lifted and blocked by a
version of nokogiri:

  Name: nokogiri
  Version: 1.9.1
  Advisory: CVE-2019-5477
  Criticality: Unknown
  URL: sparklemotion/nokogiri#1915
  Title: Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file
  Solution: upgrade to >= 1.10.4

I asked about it in the rocketchat #cloud channel, and apparently Rick
has looked into it and it seems we are unaffected by it as we don't use
the version when building the RPM.

I've also done a quick look through IBS and I can't see nokogiri as a
build requirement for crowbar, crowbar-core or crowbar-openstack. Well
it isn't even mentioned in any of the spec files.

So raising this PR to add it to the ignore so we can unblock the
crowbar-core PRs.

Adding the SOC-9635, as its the patch of mine that is blocked on it, and
so it passes travis CI.
matthewoliver added a commit to matthewoliver/crowbar-core that referenced this issue Aug 29, 2019
A bunch of PRs in the crowbar-core are blocked due to a travis CI check:

  bundle-audit check --ignore ...

This is due to a security embargo that was lifted and blocked by a
version of nokogiri:

  Name: nokogiri
  Version: 1.9.1
  Advisory: CVE-2019-5477
  Criticality: Unknown
  URL: sparklemotion/nokogiri#1915
  Title: Nokogiri Command Injection Vulnerability via
         Nokogiri::CSS::Tokenizer#load_file
  Solution: upgrade to >= 1.10.4

I asked about it in the rocketchat #cloud channel, and apparently Rick
has looked into it and it seems we are unaffected by it as we don't use
the version when building the RPM.

I've also done a quick look through IBS and I can't see nokogiri as a
build requirement for crowbar, crowbar-core or crowbar-openstack. Well
it isn't even mentioned in any of the spec files.

So raising this PR to add it to the ignore so we can unblock the
crowbar-core PRs.

Adding the SOC-9635, as its the patch of mine that is blocked on it, and
so it passes travis CI.
rhafer added a commit to rhafer/crowbar-core that referenced this issue Aug 30, 2019
A bunch of PRs in the crowbar-core are blocked due to a travis CI check:

  bundle-audit check --ignore ...

This is due to a security embargo that was lifted and blocked by a
version of nokogiri:

  Name: nokogiri
  Version: 1.9.1
  Advisory: CVE-2019-5477
  Criticality: Unknown
  URL: sparklemotion/nokogiri#1915
  Title: Nokogiri Command Injection Vulnerability via
         Nokogiri::CSS::Tokenizer#load_file
  Solution: upgrade to >= 1.10.4

I asked about it in the rocketchat #cloud channel, and apparently Rick
has looked into it and it seems we are unaffected by it as we don't use
the version when building the RPM.

I've also done a quick look through IBS and I can't see nokogiri as a
build requirement for crowbar, crowbar-core or crowbar-openstack. Well
it isn't even mentioned in any of the spec files.

So raising this PR to add it to the ignore so we can unblock the
crowbar-core PRs.

Adding the SOC-9635, as its the patch of mine that is blocked on it, and
so it passes travis CI.

(cherry picked from commit 8400e28)
rhafer added a commit to rhafer/crowbar-core that referenced this issue Aug 30, 2019
A bunch of PRs in the crowbar-core are blocked due to a travis CI check:

  bundle-audit check --ignore ...

This is due to a security embargo that was lifted and blocked by a
version of nokogiri:

  Name: nokogiri
  Version: 1.9.1
  Advisory: CVE-2019-5477
  Criticality: Unknown
  URL: sparklemotion/nokogiri#1915
  Title: Nokogiri Command Injection Vulnerability via
         Nokogiri::CSS::Tokenizer#load_file
  Solution: upgrade to >= 1.10.4

I asked about it in the rocketchat #cloud channel, and apparently Rick
has looked into it and it seems we are unaffected by it as we don't use
the version when building the RPM.

I've also done a quick look through IBS and I can't see nokogiri as a
build requirement for crowbar, crowbar-core or crowbar-openstack. Well
it isn't even mentioned in any of the spec files.

So raising this PR to add it to the ignore so we can unblock the
crowbar-core PRs.

Adding the SOC-9635, as its the patch of mine that is blocked on it, and
so it passes travis CI.

(cherry picked from commit 8400e28)
vbalbarin added a commit to YaleSpinup/dns-api that referenced this issue Oct 2, 2019
Name: nokogiri
Version: 1.10.3
Advisory: CVE-2019-5477
Criticality: High
URL: sparklemotion/nokogiri#1915
Title: Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file
Solution: upgrade to >= 1.10.4
facebook-github-bot added a commit to Instagram/IGListKit that referenced this issue Oct 30, 2019
Summary:
We don't use nokogiri directly in our library, but it found its was into our Gemfile.lock. I'm bumping the version in the Gemfile.lock because the version it's calling for has a security vuln: sparklemotion/nokogiri#1915. When I tried setting up this library from a github clone, so I imagine others may be running into this and wasting time on it as well.

Another solution here would just be to remove nokogiri from our Gemfile.lock entirely. I don't think we use it directly anywhere, and was just included in the lock because it happened to be in someone's environment at the time of the lock file creation.

Reviewed By: joetam

Differential Revision: D18046184

fbshipit-source-id: de6263bb24783988545a77cb67ee66c9697820de
bors-alpinelab bot added a commit to alpinelab/toolbox that referenced this issue Nov 1, 2019
Merge #119
119: [Security] Bump nokogiri from 1.10.3 to 1.10.5 r=michaelbaudino a=dependabot-preview[bot]

Bumps [nokogiri](https://github.com/sparklemotion/nokogiri) from 1.10.3 to 1.10.5. **This update includes security fixes.**
<details>
<summary>Vulnerabilities fixed</summary>

*Sourced from The Ruby Advisory Database.*

> **Nokogiri Command Injection Vulnerability**
> A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess by Ruby's `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being passed untrusted user input.
> 
> This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.
> 
> Upgrade to Nokogiri v1.10.4, or avoid calling the undocumented method `Nokogiri::CSS::Tokenizer#load_file` with untrusted user input.
> 
> Patched versions: >= 1.10.4
> Unaffected versions: none

*Sourced from [The Ruby Advisory Database](https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2019-5477.yml).*

> **Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file**
> A command injection vulnerability in Nokogiri v1.10.3 and earlier allows
> commands to be executed in a subprocess by Ruby's `Kernel.open` method.
> Processes are vulnerable only if the undocumented method
> `Nokogiri::CSS::Tokenizer#load_file` is being passed untrusted user input.
> 
> This vulnerability appears in code generated by the Rexical gem versions
> v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner
> code for parsing CSS queries. The underlying vulnerability was addressed in
> Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in
> Nokogiri v1.10.4.
> 
> Upgrade to Nokogiri v1.10.4, or avoid calling the undocumented method
> `Nokogiri::CSS::Tokenizer#load_file` with untrusted user input.
> 
> Patched versions: >= 1.10.4
> Unaffected versions: none

</details>
<details>
<summary>Release notes</summary>

*Sourced from [nokogiri's releases](https://github.com/sparklemotion/nokogiri/releases).*

> ## 1.10.5 / 2019-10-31
> 
> ### Dependencies
> 
> * [MRI] vendored libxml2 is updated from 2.9.9 to 2.9.10
> * [MRI] vendored libxslt is updated from 1.1.33 to 1.1.34
> 
> 
> 
> ## 1.10.4 / 2019-08-11
> 
> ### Security
> 
> #### Address CVE-2019-5477 ([#1915](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1915))
> 
> A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess by Ruby's `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being passed untrusted user input.
> 
> This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.
> 
> This CVE's public notice is [sparklemotion/nokogiri#1915](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1915)
> 
</details>
<details>
<summary>Changelog</summary>

*Sourced from [nokogiri's changelog](https://github.com/sparklemotion/nokogiri/blob/master/CHANGELOG.md).*

> ## 1.10.5 / 2019-10-31
> 
> ### Dependencies
> 
> * [MRI] vendored libxml2 is updated from 2.9.9 to 2.9.10
> * [MRI] vendored libxslt is updated from 1.1.33 to 1.1.34
> 
> 
> ## 1.10.4 / 2019-08-11
> 
> ### Security
> 
> #### Address CVE-2019-5477 ([#1915](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1915))
> 
> A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess by Ruby's `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being passed untrusted user input.
> 
> This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.
> 
> This CVE's public notice is [sparklemotion/nokogiri#1915](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1915)
</details>
<details>
<summary>Commits</summary>

- [`1bc2ff9`](sparklemotion/nokogiri@1bc2ff9) version bump to v1.10.5
- [`383c1f8`](sparklemotion/nokogiri@383c1f8) update CHANGELOG
- [`43a1753`](sparklemotion/nokogiri@43a1753) dependency: update libxslt to 1.1.34 final
- [`99d8a6b`](sparklemotion/nokogiri@99d8a6b) dependency: update libxml to 2.9.10 final
- [`2a86496`](sparklemotion/nokogiri@2a86496) add suppressions for ruby 2.7
- [`dca794a`](sparklemotion/nokogiri@dca794a) update CHANGELOG with correct release date for v1.10.4
- [`077e010`](sparklemotion/nokogiri@077e010) update rake-compiler commands to install bundler
- [`beb832e`](sparklemotion/nokogiri@beb832e) version bump to v1.10.4
- [`5d30128`](sparklemotion/nokogiri@5d30128) Merge branch '1915-css-tokenizer-load-file-vulnerability_v1.10.x' into v1.10.x
- [`c86b5fc`](sparklemotion/nokogiri@c86b5fc) update CHANGELOG
- Additional commits viewable in [compare view](sparklemotion/nokogiri@v1.10.3...v1.10.5)
</details>
<br />

[![Dependabot compatibility score](https://api.dependabot.com/badges/compatibility_score?dependency-name=nokogiri&package-manager=bundler&previous-version=1.10.3&new-version=1.10.5)](https://dependabot.com/compatibility-score.html?dependency-name=nokogiri&package-manager=bundler&previous-version=1.10.3&new-version=1.10.5)

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.

[//]: # (dependabot-automerge-start)
If all status checks pass Dependabot will automatically merge this pull request.

[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
- `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com):
- Update frequency (including time of day and day of week)
- Pull request limits (per update run and/or open at any time)
- Automerge options (never/patch/minor, and dev/runtime dependencies)
- Out-of-range updates (receive only lockfile updates, if desired)
- Security updates (receive only security updates, if desired)



</details>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
facebook-github-bot added a commit to facebook/watchman that referenced this issue Nov 1, 2019
Summary:
Bumps [nokogiri](https://github.com/sparklemotion/nokogiri) from 1.8.0 to 1.10.5.
<details>
<summary>Release notes</summary>

*Sourced from [nokogiri's releases](https://github.com/sparklemotion/nokogiri/releases).*

> ## 1.10.5 / 2019-10-31
>
> ### Dependencies
>
> * [MRI] vendored libxml2 is updated from 2.9.9 to 2.9.10
> * [MRI] vendored libxslt is updated from 1.1.33 to 1.1.34
>
>
>
> ## 1.10.4 / 2019-08-11
>
> ### Security
>
> #### Address CVE-2019-5477 ([#1915](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1915))
>
> A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess by Ruby's `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being passed untrusted user input.
>
> This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.
>
> This CVE's public notice is [sparklemotion/nokogiri#1915](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1915)
>
>
> ## 1.10.3 / 2019-04-22
>
> ### Security Notes
>
> [MRI] Pulled in upstream patch from libxslt that addresses CVE-2019-11068. Full details are available in [#1892](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1892). Note that this patch is not yet (as of 2019-04-22) in an upstream release of libxslt.
>
> ## 1.10.2 / 2019-03-24
>
> ### Security
>
> * [MRI] Remove support from vendored libxml2 for future script macros. [#1871](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1871)
> * [MRI] Remove support from vendored libxml2 for server-side includes within attributes. [#1877](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1877)
>
>
> ### Bug fixes
>
> * [JRuby] Fix node ownership in duplicated documents. [#1060](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1060)
> * [JRuby] Rethrow exceptions caught by Java SAX handler. [#1847, [#1872](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1872)] (Thanks, [@&#8203;adjam](https://github.com/adjam)!)
>
>
>
> ## 1.10.1 / 2019-01-13
>
> ### Features
>
> * [MRI] During installation, handle Xcode 10's new library pathOS. [#1801, [#1851](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1851)] (Thanks, [@&#8203;mlj](https://github.com/mlj) and [@&#8203;deepj](https://github.com/deepj)!)
> * Avoid unnecessary creation of `Proc`s in many methods. [#1776](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1776) (Thanks, [@&#8203;chopraanmol1](https://github.com/chopraanmol1)!)
>
></tr></table> ... (truncated)
</details>
<details>
<summary>Changelog</summary>

*Sourced from [nokogiri's changelog](https://github.com/sparklemotion/nokogiri/blob/master/CHANGELOG.md).*

> ## 1.10.5 / 2019-10-31
>
> ### Dependencies
>
> * [MRI] vendored libxml2 is updated from 2.9.9 to 2.9.10
> * [MRI] vendored libxslt is updated from 1.1.33 to 1.1.34
>
>
> ## 1.10.4 / 2019-08-11
>
> ### Security
>
> #### Address CVE-2019-5477 ([#1915](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1915))
>
> A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess by Ruby's `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being passed untrusted user input.
>
> This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.
>
> This CVE's public notice is [sparklemotion/nokogiri#1915](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1915)
>
>
> ## 1.10.3 / 2019-04-22
>
> ### Security Notes
>
> [MRI] Pulled in upstream patch from libxslt that addresses CVE-2019-11068. Full details are available in [#1892](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1892). Note that this patch is not yet (as of 2019-04-22) in an upstream release of libxslt.
>
>
> ## 1.10.2 / 2019-03-24
>
> ### Security
>
> * [MRI] Remove support from vendored libxml2 for future script macros. [#1871](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1871)
> * [MRI] Remove support from vendored libxml2 for server-side includes within attributes. [#1877](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1877)
>
>
> ### Bug fixes
>
> * [JRuby] Fix node ownership in duplicated documents. [#1060](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1060)
> * [JRuby] Rethrow exceptions caught by Java SAX handler. [#1847, [#1872](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1872)] (Thanks, [@&#8203;adjam](https://github.com/adjam)!)
>
>
> ## 1.10.1 / 2019-01-13
>
> ### Features
>
> * [MRI] During installation, handle Xcode 10's new library path. [#1801, [#1851](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1851)] (Thanks, [@&#8203;mlj](https://github.com/mlj) and [@&#8203;deepj](https://github.com/deepj)!)
> * Avoid unnecessary creation of `Proc`s in many methods. [#1776](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1776) (Thanks, [@&#8203;chopraanmol1](https://github.com/chopraanmol1)!)
>
>
></tr></table> ... (truncated)
</details>
<details>
<summary>Commits</summary>

- [`1bc2ff9`](sparklemotion/nokogiri@1bc2ff9) version bump to v1.10.5
- [`383c1f8`](sparklemotion/nokogiri@383c1f8) update CHANGELOG
- [`43a1753`](sparklemotion/nokogiri@43a1753) dependency: update libxslt to 1.1.34 final
- [`99d8a6b`](sparklemotion/nokogiri@99d8a6b) dependency: update libxml to 2.9.10 final
- [`2a86496`](sparklemotion/nokogiri@2a86496) add suppressions for ruby 2.7
- [`dca794a`](sparklemotion/nokogiri@dca794a) update CHANGELOG with correct release date for v1.10.4
- [`077e010`](sparklemotion/nokogiri@077e010) update rake-compiler commands to install bundler
- [`beb832e`](sparklemotion/nokogiri@beb832e) version bump to v1.10.4
- [`5d30128`](sparklemotion/nokogiri@5d30128) Merge branch '1915-css-tokenizer-load-file-vulnerability_v1.10.x' into v1.10.x
- [`c86b5fc`](sparklemotion/nokogiri@c86b5fc) update CHANGELOG
- Additional commits viewable in [compare view](sparklemotion/nokogiri@v1.8.0...v1.10.5)
</details>
<br />

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=nokogiri&package-manager=bundler&previous-version=1.8.0&new-version=1.10.5)](https://help.github.com/articles/configuring-automated-security-fixes)

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

 ---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `dependabot rebase` will rebase this PR
- `dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `dependabot merge` will merge this PR after your CI passes on it
- `dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `dependabot cancel merge` will cancel a previously requested merge and block automerging
- `dependabot reopen` will reopen this PR if it is closed
- `dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
- `dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/facebook/watchman/network/alerts).

</details>
Pull Request resolved: #757

Differential Revision: D18281040

Pulled By: wez

fbshipit-source-id: d5bf78860f5bbdcc3b88ea12a6533511e4405938
sinsoku added a commit to sinsoku/wovnrb that referenced this issue Nov 30, 2019
d-leclere added a commit to d-leclere/github-slideshow that referenced this issue Dec 10, 2019
d-leclere added a commit to d-leclere/github-slideshow that referenced this issue Dec 10, 2019
bstewart00 added a commit to WOVNio/wovnrb that referenced this issue Dec 11, 2019
* Update Nokogiri version for CVE-2019-5477

refs: sparklemotion/nokogiri#1915

* Fix build errors in Ruby 2.1 and 2.2
senid231 added a commit to senid231/didww-v3-rails-sample that referenced this issue Feb 10, 2021
Name: actionpack
Version: 5.1.4
Advisory: CVE-2020-8166
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw
Title: Ability to forge per-form CSRF tokens given a global CSRF token
Solution: upgrade to ~> 5.2.4.3, >= 6.0.3.1

Name: actionpack
Version: 5.1.4
Advisory: CVE-2020-8164
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY
Title: Possible Strong Parameters Bypass in ActionPack
Solution: upgrade to ~> 5.2.4.3, >= 6.0.3.1

Name: actionview
Version: 5.1.4
Advisory: CVE-2020-15169
Criticality: Unknown
URL: https://groups.google.com/g/rubyonrails-security/c/b-C9kSGXYrc
Title: Potential XSS vulnerability in Action View
Solution: upgrade to ~> 5.2.4, >= 5.2.4.4, >= 6.0.3.3

Name: actionview
Version: 5.1.4
Advisory: CVE-2020-8167
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0
Title: CSRF Vulnerability in rails-ujs
Solution: upgrade to ~> 5.2.4.3, >= 6.0.3.1

Name: actionview
Version: 5.1.4
Advisory: CVE-2019-5418
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q
Title: File Content Disclosure in Action View
Solution: upgrade to ~> 4.2.11, >= 4.2.11.1, ~> 5.0.7, >= 5.0.7.2, ~> 5.1.6, >= 5.1.6.2, ~> 5.2.2, >= 5.2.2.1, >= 6.0.0.beta3

Name: actionview
Version: 5.1.4
Advisory: CVE-2020-5267
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/55reWMM_Pg8
Title: Possible XSS vulnerability in ActionView
Solution: upgrade to ~> 5.2.4, >= 5.2.4.2, >= 6.0.2.2

Name: actionview
Version: 5.1.4
Advisory: CVE-2019-5419
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI
Title: Denial of Service Vulnerability in Action View
Solution: upgrade to >= 6.0.0.beta3, ~> 5.2.2, >= 5.2.2.1, ~> 5.1.6, >= 5.1.6.2, ~> 5.0.7, >= 5.0.7.2, ~> 4.2.11, >= 4.2.11.1

Name: activejob
Version: 5.1.4
Advisory: CVE-2018-16476
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw
Title: Broken Access Control vulnerability in Active Job
Solution: upgrade to ~> 4.2.11, ~> 5.0.7.1, ~> 5.1.6.1, ~> 5.1.7, >= 5.2.1.1

Name: activesupport
Version: 5.1.4
Advisory: CVE-2020-8165
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c
Title: Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
Solution: upgrade to ~> 5.2.4.3, >= 6.0.3.1

Name: ffi
Version: 1.9.18
Advisory: CVE-2018-1000201
Criticality: High
URL: https://github.com/ffi/ffi/releases/tag/1.9.24
Title: ruby-ffi DDL loading issue on Windows OS
Solution: upgrade to >= 1.9.24

Name: jquery-rails
Version: 4.3.1
Advisory: CVE-2019-11358
Criticality: Medium
URL: https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
Title: Prototype pollution attack through jQuery $.extend
Solution: upgrade to >= 4.3.4

Name: loofah
Version: 2.1.1
Advisory: CVE-2018-8048
Criticality: Unknown
URL: flavorjones/loofah#144
Title: Loofah XSS Vulnerability
Solution: upgrade to >= 2.2.1

Name: loofah
Version: 2.1.1
Advisory: CVE-2018-16468
Criticality: Medium
URL: flavorjones/loofah#154
Title: Loofah XSS Vulnerability
Solution: upgrade to >= 2.2.3

Name: loofah
Version: 2.1.1
Advisory: CVE-2019-15587
Criticality: Medium
URL: flavorjones/loofah#171
Title: Loofah XSS Vulnerability
Solution: upgrade to >= 2.3.1

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2017-15412
Criticality: Unknown
URL: sparklemotion/nokogiri#1714
Title: Nokogiri gem, via libxml, is affected by DoS vulnerabilities
Solution: upgrade to >= 1.8.2

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2018-8048
Criticality: Unknown
URL: sparklemotion/nokogiri#1746
Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS
Solution: upgrade to >= 1.8.3

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2020-26247
Criticality: Low
URL: GHSA-vr8q-g5c7-m54m
Title: Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability
Solution: upgrade to >= 1.11.0.rc4

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2018-14404
Criticality: Unknown
URL: sparklemotion/nokogiri#1785
Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
Solution: upgrade to >= 1.8.5

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2019-11068
Criticality: Unknown
URL: sparklemotion/nokogiri#1892
Title: Nokogiri gem, via libxslt, is affected by improper access control vulnerability
Solution: upgrade to >= 1.10.3

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2020-7595
Criticality: High
URL: sparklemotion/nokogiri#1992
Title: libxml2 2.9.10 has an infinite loop in a certain end-of-file situation
Solution: upgrade to >= 1.10.8

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2019-5477
Criticality: Critical
URL: sparklemotion/nokogiri#1915
Title: Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file
Solution: upgrade to >= 1.10.4

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2019-13117
Criticality: Unknown
URL: sparklemotion/nokogiri#1943
Title: Nokogiri gem, via libxslt, is affected by multiple vulnerabilities
Solution: upgrade to >= 1.10.5

Name: rack
Version: 2.0.8
Advisory: CVE-2020-8161
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/T4ZIsfRf2eA
Title: Directory traversal in Rack::Directory app bundled with Rack
Solution: upgrade to ~> 2.1.3, >= 2.2.0

Name: rack
Version: 2.0.8
Advisory: CVE-2020-8184
Criticality: Unknown
URL: https://groups.google.com/g/rubyonrails-security/c/OWtmozPH9Ak
Title: Percent-encoded cookies can be used to overwrite existing prefixed cookie names
Solution: upgrade to ~> 2.1.4, >= 2.2.3

Name: rails-html-sanitizer
Version: 1.0.3
Advisory: CVE-2018-3741
Criticality: Unknown
URL: https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ
Title: XSS vulnerability in rails-html-sanitizer
Solution: upgrade to >= 1.0.4

Name: sprockets
Version: 3.7.1
Advisory: CVE-2018-3760
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k
Title: Path Traversal in Sprockets
Solution: upgrade to >= 2.12.5, < 3.0.0, >= 3.7.2, < 4.0.0, >= 4.0.0.beta8
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants