gsd-2019-5477
Vulnerability from gsd
Modified
2019-08-11 00:00
Details
A command injection vulnerability in Nokogiri v1.10.3 and earlier allows
commands to be executed in a subprocess by Ruby's `Kernel.open` method.
Processes are vulnerable only if the undocumented method
`Nokogiri::CSS::Tokenizer#load_file` is being passed untrusted user input.
This vulnerability appears in code generated by the Rexical gem versions
v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner
code for parsing CSS queries. The underlying vulnerability was addressed in
Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in
Nokogiri v1.10.4.
Upgrade to Nokogiri v1.10.4, or avoid calling the undocumented method
`Nokogiri::CSS::Tokenizer#load_file` with untrusted user input.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2019-5477",
"description": "A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby\u0027s `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being called with unsafe user input as the filename. This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.",
"id": "GSD-2019-5477",
"references": [
"https://www.suse.com/security/cve/CVE-2019-5477.html",
"https://ubuntu.com/security/CVE-2019-5477",
"https://advisories.mageia.org/CVE-2019-5477.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "nokogiri",
"purl": "pkg:gem/nokogiri"
}
}
],
"aliases": [
"CVE-2019-5477",
"GHSA-cr5j-953j-xw5p"
],
"details": "A command injection vulnerability in Nokogiri v1.10.3 and earlier allows\ncommands to be executed in a subprocess by Ruby\u0027s `Kernel.open` method.\nProcesses are vulnerable only if the undocumented method\n`Nokogiri::CSS::Tokenizer#load_file` is being passed untrusted user input.\n\nThis vulnerability appears in code generated by the Rexical gem versions\nv1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner\ncode for parsing CSS queries. The underlying vulnerability was addressed in\nRexical v1.0.7 and Nokogiri upgraded to this version of Rexical in\nNokogiri v1.10.4.\n\nUpgrade to Nokogiri v1.10.4, or avoid calling the undocumented method\n`Nokogiri::CSS::Tokenizer#load_file` with untrusted user input.\n",
"id": "GSD-2019-5477",
"modified": "2019-08-11T00:00:00.000Z",
"published": "2019-08-11T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/sparklemotion/nokogiri/issues/1915"
},
{
"type": "WEB",
"url": "https://github.com/tenderlove/rexical/commit/a652474dbc66be350055db3e8f9b3a7b3fd75926"
},
{
"type": "WEB",
"url": "https://groups.google.com/forum/#!msg/ruby-security-ann/YMnKFsASOAE/Fw3ocLI0BQAJ"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 7.5,
"type": "CVSS_V2"
},
{
"score": 9.8,
"type": "CVSS_V3"
}
],
"summary": "Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2019-5477",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Nokogiri (ruby gem)",
"version": {
"version_data": [
{
"version_value": "Fixed in v1.10.4"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby\u0027s `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being called with unsafe user input as the filename. This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "OS Command Injection (CWE-78)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/650835",
"refsource": "MISC",
"url": "https://hackerone.com/reports/650835"
},
{
"name": "https://github.com/tenderlove/rexical/blob/master/CHANGELOG.rdoc",
"refsource": "MISC",
"url": "https://github.com/tenderlove/rexical/blob/master/CHANGELOG.rdoc"
},
{
"name": "https://github.com/sparklemotion/nokogiri/issues/1915",
"refsource": "CONFIRM",
"url": "https://github.com/sparklemotion/nokogiri/issues/1915"
},
{
"name": "[debian-lts-announce] 20190926 [SECURITY] [DLA 1933-1] ruby-nokogiri security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00027.html"
},
{
"name": "USN-4175-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4175-1/"
},
{
"name": "GLSA-202006-05",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202006-05"
},
{
"name": "[debian-lts-announce] 20221012 [SECURITY] [DLA 3149-1] ruby-nokogiri security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html"
},
{
"name": "[debian-lts-announce] 20221012 [SECURITY] [DLA 3150-1] rexical security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00019.html"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2019-5477",
"cvss_v2": 7.5,
"cvss_v3": 9.8,
"date": "2019-08-11",
"description": "A command injection vulnerability appears in code generated by the Rexical\ngem versions v1.0.6 and earlier. It allows commands to be executed in a\nsubprocess by Ruby\u0027s `Kernel.open` method.\n",
"gem": "rexical",
"ghsa": "cr5j-953j-xw5p",
"patched_versions": [
"\u003e= 1.0.7"
],
"related": {
"url": [
"https://github.com/tenderlove/rexical/blob/master/CHANGELOG.rdoc#107--2019-08-06",
"https://groups.google.com/forum/#!msg/ruby-security-ann/YMnKFsASOAE/Fw3ocLI0BQAJ"
]
},
"title": "Rexical Command Injection Vulnerability",
"url": "https://github.com/tenderlove/rexical/commit/a652474dbc66be350055db3e8f9b3a7b3fd75926"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c=1.10.3",
"affected_versions": "All versions up to 1.10.3",
"credit": "Katsuhiko YOSHIDA",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-78",
"CWE-937"
],
"date": "2019-09-26",
"description": "A command injection vulnerability in Nokogiri allows commands to be executed in a subprocess via Ruby\u0027s `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being called with unsafe user input as the filename.",
"fixed_versions": [
"1.10.4"
],
"identifier": "CVE-2019-5477",
"identifiers": [
"CVE-2019-5477"
],
"not_impacted": "All versions after 1.10.3",
"package_slug": "gem/nokogiri",
"pubdate": "2019-08-16",
"solution": "Upgrade to version 1.10.4 or above.",
"title": "Command Injection",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2019-5477",
"https://github.com/sparklemotion/nokogiri/issues/1915"
],
"uuid": "7e9c16eb-d4ee-4c0a-a3b7-ed88f1ea7125"
},
{
"affected_range": "\u003c1.0.7",
"affected_versions": "All versions before 1.0.7",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-78",
"CWE-937"
],
"date": "2020-10-16",
"description": "A command injection vulnerability in Nokogiri allows commands to be executed in a subprocess via Ruby\u0027s `Kernel.open` method.",
"fixed_versions": [
"1.0.7"
],
"identifier": "CVE-2019-5477",
"identifiers": [
"CVE-2019-5477"
],
"not_impacted": "All versions starting from 1.0.7",
"package_slug": "gem/rexical",
"pubdate": "2019-08-16",
"solution": "Upgrade to version 1.0.7 or above.",
"title": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2019-5477"
],
"uuid": "36f8fc75-da5e-40e9-9bb3-15b423fc85f3"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:nokogiri:nokogiri:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1.10.3",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve-assignments@hackerone.com",
"ID": "CVE-2019-5477"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby\u0027s `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being called with unsafe user input as the filename. This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/650835",
"refsource": "MISC",
"tags": [
"Permissions Required"
],
"url": "https://hackerone.com/reports/650835"
},
{
"name": "https://github.com/tenderlove/rexical/blob/master/CHANGELOG.rdoc",
"refsource": "MISC",
"tags": [
"Release Notes"
],
"url": "https://github.com/tenderlove/rexical/blob/master/CHANGELOG.rdoc"
},
{
"name": "https://github.com/sparklemotion/nokogiri/issues/1915",
"refsource": "CONFIRM",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/sparklemotion/nokogiri/issues/1915"
},
{
"name": "[debian-lts-announce] 20190926 [SECURITY] [DLA 1933-1] ruby-nokogiri security update",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00027.html"
},
{
"name": "USN-4175-1",
"refsource": "UBUNTU",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/4175-1/"
},
{
"name": "GLSA-202006-05",
"refsource": "GENTOO",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202006-05"
},
{
"name": "[debian-lts-announce] 20221012 [SECURITY] [DLA 3149-1] ruby-nokogiri security update",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html"
},
{
"name": "[debian-lts-announce] 20221012 [SECURITY] [DLA 3150-1] rexical security update",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00019.html"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9
}
},
"lastModifiedDate": "2022-10-14T18:46Z",
"publishedDate": "2019-08-16T16:15Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.