GSD-2019-5477
Vulnerability from gsd - Updated: 2019-08-11 00:00Details
A command injection vulnerability in Nokogiri v1.10.3 and earlier allows
commands to be executed in a subprocess by Ruby's `Kernel.open` method.
Processes are vulnerable only if the undocumented method
`Nokogiri::CSS::Tokenizer#load_file` is being passed untrusted user input.
This vulnerability appears in code generated by the Rexical gem versions
v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner
code for parsing CSS queries. The underlying vulnerability was addressed in
Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in
Nokogiri v1.10.4.
Upgrade to Nokogiri v1.10.4, or avoid calling the undocumented method
`Nokogiri::CSS::Tokenizer#load_file` with untrusted user input.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2019-5477",
"description": "A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby\u0027s `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being called with unsafe user input as the filename. This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.",
"id": "GSD-2019-5477",
"references": [
"https://www.suse.com/security/cve/CVE-2019-5477.html",
"https://ubuntu.com/security/CVE-2019-5477",
"https://advisories.mageia.org/CVE-2019-5477.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "nokogiri",
"purl": "pkg:gem/nokogiri"
}
}
],
"aliases": [
"CVE-2019-5477",
"GHSA-cr5j-953j-xw5p"
],
"details": "A command injection vulnerability in Nokogiri v1.10.3 and earlier allows\ncommands to be executed in a subprocess by Ruby\u0027s `Kernel.open` method.\nProcesses are vulnerable only if the undocumented method\n`Nokogiri::CSS::Tokenizer#load_file` is being passed untrusted user input.\n\nThis vulnerability appears in code generated by the Rexical gem versions\nv1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner\ncode for parsing CSS queries. The underlying vulnerability was addressed in\nRexical v1.0.7 and Nokogiri upgraded to this version of Rexical in\nNokogiri v1.10.4.\n\nUpgrade to Nokogiri v1.10.4, or avoid calling the undocumented method\n`Nokogiri::CSS::Tokenizer#load_file` with untrusted user input.\n",
"id": "GSD-2019-5477",
"modified": "2019-08-11T00:00:00.000Z",
"published": "2019-08-11T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/sparklemotion/nokogiri/issues/1915"
},
{
"type": "WEB",
"url": "https://github.com/tenderlove/rexical/commit/a652474dbc66be350055db3e8f9b3a7b3fd75926"
},
{
"type": "WEB",
"url": "https://groups.google.com/forum/#!msg/ruby-security-ann/YMnKFsASOAE/Fw3ocLI0BQAJ"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 7.5,
"type": "CVSS_V2"
},
{
"score": 9.8,
"type": "CVSS_V3"
}
],
"summary": "Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2019-5477",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Nokogiri (ruby gem)",
"version": {
"version_data": [
{
"version_value": "Fixed in v1.10.4"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby\u0027s `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being called with unsafe user input as the filename. This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "OS Command Injection (CWE-78)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/650835",
"refsource": "MISC",
"url": "https://hackerone.com/reports/650835"
},
{
"name": "https://github.com/tenderlove/rexical/blob/master/CHANGELOG.rdoc",
"refsource": "MISC",
"url": "https://github.com/tenderlove/rexical/blob/master/CHANGELOG.rdoc"
},
{
"name": "https://github.com/sparklemotion/nokogiri/issues/1915",
"refsource": "CONFIRM",
"url": "https://github.com/sparklemotion/nokogiri/issues/1915"
},
{
"name": "[debian-lts-announce] 20190926 [SECURITY] [DLA 1933-1] ruby-nokogiri security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00027.html"
},
{
"name": "USN-4175-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4175-1/"
},
{
"name": "GLSA-202006-05",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202006-05"
},
{
"name": "[debian-lts-announce] 20221012 [SECURITY] [DLA 3149-1] ruby-nokogiri security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html"
},
{
"name": "[debian-lts-announce] 20221012 [SECURITY] [DLA 3150-1] rexical security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00019.html"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2019-5477",
"cvss_v2": 7.5,
"cvss_v3": 9.8,
"date": "2019-08-11",
"description": "A command injection vulnerability appears in code generated by the Rexical\ngem versions v1.0.6 and earlier. It allows commands to be executed in a\nsubprocess by Ruby\u0027s `Kernel.open` method.\n",
"gem": "rexical",
"ghsa": "cr5j-953j-xw5p",
"patched_versions": [
"\u003e= 1.0.7"
],
"related": {
"url": [
"https://github.com/tenderlove/rexical/blob/master/CHANGELOG.rdoc#107--2019-08-06",
"https://groups.google.com/forum/#!msg/ruby-security-ann/YMnKFsASOAE/Fw3ocLI0BQAJ"
]
},
"title": "Rexical Command Injection Vulnerability",
"url": "https://github.com/tenderlove/rexical/commit/a652474dbc66be350055db3e8f9b3a7b3fd75926"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c=1.10.3",
"affected_versions": "All versions up to 1.10.3",
"credit": "Katsuhiko YOSHIDA",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-78",
"CWE-937"
],
"date": "2019-09-26",
"description": "A command injection vulnerability in Nokogiri allows commands to be executed in a subprocess via Ruby\u0027s `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being called with unsafe user input as the filename.",
"fixed_versions": [
"1.10.4"
],
"identifier": "CVE-2019-5477",
"identifiers": [
"CVE-2019-5477"
],
"not_impacted": "All versions after 1.10.3",
"package_slug": "gem/nokogiri",
"pubdate": "2019-08-16",
"solution": "Upgrade to version 1.10.4 or above.",
"title": "Command Injection",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2019-5477",
"https://github.com/sparklemotion/nokogiri/issues/1915"
],
"uuid": "7e9c16eb-d4ee-4c0a-a3b7-ed88f1ea7125"
},
{
"affected_range": "\u003c1.0.7",
"affected_versions": "All versions before 1.0.7",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-78",
"CWE-937"
],
"date": "2020-10-16",
"description": "A command injection vulnerability in Nokogiri allows commands to be executed in a subprocess via Ruby\u0027s `Kernel.open` method.",
"fixed_versions": [
"1.0.7"
],
"identifier": "CVE-2019-5477",
"identifiers": [
"CVE-2019-5477"
],
"not_impacted": "All versions starting from 1.0.7",
"package_slug": "gem/rexical",
"pubdate": "2019-08-16",
"solution": "Upgrade to version 1.0.7 or above.",
"title": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2019-5477"
],
"uuid": "36f8fc75-da5e-40e9-9bb3-15b423fc85f3"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:nokogiri:nokogiri:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1.10.3",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve-assignments@hackerone.com",
"ID": "CVE-2019-5477"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby\u0027s `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being called with unsafe user input as the filename. This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/650835",
"refsource": "MISC",
"tags": [
"Permissions Required"
],
"url": "https://hackerone.com/reports/650835"
},
{
"name": "https://github.com/tenderlove/rexical/blob/master/CHANGELOG.rdoc",
"refsource": "MISC",
"tags": [
"Release Notes"
],
"url": "https://github.com/tenderlove/rexical/blob/master/CHANGELOG.rdoc"
},
{
"name": "https://github.com/sparklemotion/nokogiri/issues/1915",
"refsource": "CONFIRM",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/sparklemotion/nokogiri/issues/1915"
},
{
"name": "[debian-lts-announce] 20190926 [SECURITY] [DLA 1933-1] ruby-nokogiri security update",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00027.html"
},
{
"name": "USN-4175-1",
"refsource": "UBUNTU",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/4175-1/"
},
{
"name": "GLSA-202006-05",
"refsource": "GENTOO",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202006-05"
},
{
"name": "[debian-lts-announce] 20221012 [SECURITY] [DLA 3149-1] ruby-nokogiri security update",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html"
},
{
"name": "[debian-lts-announce] 20221012 [SECURITY] [DLA 3150-1] rexical security update",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00019.html"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9
}
},
"lastModifiedDate": "2022-10-14T18:46Z",
"publishedDate": "2019-08-16T16:15Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…