gsd-2021-30560
Vulnerability from gsd
Modified
2022-02-21 00:00
Details
## Summary
Nokogiri v1.13.2 upgrades two of its packaged dependencies:
* vendored libxml2 from v2.9.12 to v2.9.13
* vendored libxslt from v1.1.34 to v1.1.35
Those library versions address the following upstream CVEs:
* libxslt: CVE-2021-30560 (CVSS 8.8, High severity)
* libxml2: CVE-2022-23308 (Unspecified severity, see more information below)
Those library versions also address numerous other issues including performance
improvements, regression fixes, and bug fixes, as well as memory leaks and other
use-after-free issues that were not assigned CVEs.
Please note that this advisory only applies to the CRuby implementation of
Nokogiri < 1.13.2, and only if the packaged libraries are being used. If you've
overridden defaults at installation time to use system libraries instead of
packaged libraries, you should instead pay attention to your distro's `libxml2`
and `libxslt` release announcements.
## Mitigation
Upgrade to Nokogiri >= 1.13.2.
Users who are unable to upgrade Nokogiri may also choose a more complicated
mitigation: compile and link an older version Nokogiri against external libraries
libxml2 >= 2.9.13 and libxslt >= 1.1.35, which will also address these same CVEs.
## Impact
* libxslt CVE-2021-30560
* CVSS3 score: 8.8 (High)
Fixed by https://gitlab.gnome.org/GNOME/libxslt/-/commit/50f9c9c
All versions of libxslt prior to v1.1.35 are affected.
Applications using untrusted XSL stylesheets to transform XML are vulnerable to
a denial-of-service attack and should be upgraded immediately.
libxml2 CVE-2022-23308
* As of the time this security advisory was published, there is no officially
published information available about this CVE's severity. The above NIST link
does not yet have a published record, and the libxml2 maintainer has declined
to provide a severity score.
* Fixed by https://gitlab.gnome.org/GNOME/libxml2/-/commit/652dd12
* Further explanation is at https://mail.gnome.org/archives/xml/2022-February/msg00015.html
The upstream commit and the explanation linked above indicate that an application
may be vulnerable to a denial of service, memory disclosure, or code execution if
it parses an untrusted document with parse options `DTDVALID` set to true, and `NOENT`
set to false.
An analysis of these parse options:
* While `NOENT` is off by default for Document, DocumentFragment, Reader, and
Schema parsing, it is on by default for XSLT (stylesheet) parsing in Nokogiri
v1.12.0 and later.
* `DTDVALID` is an option that Nokogiri does not set for any operations, and so
this CVE applies only to applications setting this option explicitly.
It seems reasonable to assume that any application explicitly setting the parse
option `DTDVALID` when parsing untrusted documents is vulnerable and should be
upgraded immediately.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2021-30560",
"description": "Use after free in Blink XSLT in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.",
"id": "GSD-2021-30560",
"references": [
"https://www.suse.com/security/cve/CVE-2021-30560.html",
"https://security.archlinux.org/CVE-2021-30560",
"https://ubuntu.com/security/CVE-2021-30560",
"https://www.debian.org/security/2022/dsa-5216",
"https://advisories.mageia.org/CVE-2021-30560.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "nokogiri",
"purl": "pkg:gem/nokogiri"
}
}
],
"aliases": [
"CVE-2021-30560",
"GHSA-fq42-c5rg-92c2"
],
"details": "## Summary\n\nNokogiri v1.13.2 upgrades two of its packaged dependencies:\n\n* vendored libxml2 from v2.9.12 to v2.9.13\n* vendored libxslt from v1.1.34 to v1.1.35\n\nThose library versions address the following upstream CVEs:\n\n* libxslt: CVE-2021-30560 (CVSS 8.8, High severity)\n* libxml2: CVE-2022-23308 (Unspecified severity, see more information below)\n\nThose library versions also address numerous other issues including performance\nimprovements, regression fixes, and bug fixes, as well as memory leaks and other\nuse-after-free issues that were not assigned CVEs.\n\nPlease note that this advisory only applies to the CRuby implementation of\nNokogiri \u003c 1.13.2, and only if the packaged libraries are being used. If you\u0027ve\noverridden defaults at installation time to use system libraries instead of\npackaged libraries, you should instead pay attention to your distro\u0027s `libxml2`\nand `libxslt` release announcements.\n\n## Mitigation\n\nUpgrade to Nokogiri \u003e= 1.13.2.\n\nUsers who are unable to upgrade Nokogiri may also choose a more complicated\nmitigation: compile and link an older version Nokogiri against external libraries\nlibxml2 \u003e= 2.9.13 and libxslt \u003e= 1.1.35, which will also address these same CVEs.\n\n## Impact\n\n* libxslt CVE-2021-30560\n* CVSS3 score: 8.8 (High)\n\nFixed by https://gitlab.gnome.org/GNOME/libxslt/-/commit/50f9c9c\n\nAll versions of libxslt prior to v1.1.35 are affected.\n\nApplications using untrusted XSL stylesheets to transform XML are vulnerable to\na denial-of-service attack and should be upgraded immediately.\n\nlibxml2 CVE-2022-23308\n* As of the time this security advisory was published, there is no officially\npublished information available about this CVE\u0027s severity. The above NIST link\ndoes not yet have a published record, and the libxml2 maintainer has declined\nto provide a severity score.\n* Fixed by https://gitlab.gnome.org/GNOME/libxml2/-/commit/652dd12\n* Further explanation is at https://mail.gnome.org/archives/xml/2022-February/msg00015.html\n\nThe upstream commit and the explanation linked above indicate that an application\nmay be vulnerable to a denial of service, memory disclosure, or code execution if\nit parses an untrusted document with parse options `DTDVALID` set to true, and `NOENT`\nset to false.\n\nAn analysis of these parse options:\n\n* While `NOENT` is off by default for Document, DocumentFragment, Reader, and\nSchema parsing, it is on by default for XSLT (stylesheet) parsing in Nokogiri\nv1.12.0 and later.\n* `DTDVALID` is an option that Nokogiri does not set for any operations, and so\nthis CVE applies only to applications setting this option explicitly.\n\nIt seems reasonable to assume that any application explicitly setting the parse\noption `DTDVALID` when parsing untrusted documents is vulnerable and should be\nupgraded immediately.\n",
"id": "GSD-2021-30560",
"modified": "2022-02-21T00:00:00.000Z",
"published": "2022-02-21T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-fq42-c5rg-92c2"
}
],
"related": [
"CVE-2022-23308"
],
"schema_version": "1.4.0",
"severity": [
{
"score": 8.8,
"type": "CVSS_V3"
}
],
"summary": "Update packaged libxml2 (2.9.12 \u2192 2.9.13) and libxslt (1.1.34 \u2192 1.1.35)"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "chrome-cve-admin@google.com",
"ID": "CVE-2021-30560",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Chrome",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "91.0.4472.164"
}
]
}
}
]
},
"vendor_name": "Google"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Use after free in Blink XSLT in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Use after free"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://chromereleases.googleblog.com/2021/07/stable-channel-update-for-desktop.html",
"refsource": "MISC",
"url": "https://chromereleases.googleblog.com/2021/07/stable-channel-update-for-desktop.html"
},
{
"name": "https://crbug.com/1219209",
"refsource": "MISC",
"url": "https://crbug.com/1219209"
},
{
"name": "DSA-5216",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2022/dsa-5216"
},
{
"name": "[debian-lts-announce] 20220909 [SECURITY] [DLA 3101-1] libxslt security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00010.html"
},
{
"name": "GLSA-202310-23",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202310-23"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2021-30560",
"cvss_v3": 8.8,
"date": "2022-02-21",
"description": "## Summary\n\nNokogiri v1.13.2 upgrades two of its packaged dependencies:\n\n* vendored libxml2 from v2.9.12 to v2.9.13\n* vendored libxslt from v1.1.34 to v1.1.35\n\nThose library versions address the following upstream CVEs:\n\n* libxslt: CVE-2021-30560 (CVSS 8.8, High severity)\n* libxml2: CVE-2022-23308 (Unspecified severity, see more information below)\n\nThose library versions also address numerous other issues including performance\nimprovements, regression fixes, and bug fixes, as well as memory leaks and other\nuse-after-free issues that were not assigned CVEs.\n\nPlease note that this advisory only applies to the CRuby implementation of\nNokogiri \u003c 1.13.2, and only if the packaged libraries are being used. If you\u0027ve\noverridden defaults at installation time to use system libraries instead of\npackaged libraries, you should instead pay attention to your distro\u0027s `libxml2`\nand `libxslt` release announcements.\n\n## Mitigation\n\nUpgrade to Nokogiri \u003e= 1.13.2.\n\nUsers who are unable to upgrade Nokogiri may also choose a more complicated\nmitigation: compile and link an older version Nokogiri against external libraries\nlibxml2 \u003e= 2.9.13 and libxslt \u003e= 1.1.35, which will also address these same CVEs.\n\n## Impact\n\n* libxslt CVE-2021-30560\n* CVSS3 score: 8.8 (High)\n\nFixed by https://gitlab.gnome.org/GNOME/libxslt/-/commit/50f9c9c\n\nAll versions of libxslt prior to v1.1.35 are affected.\n\nApplications using untrusted XSL stylesheets to transform XML are vulnerable to\na denial-of-service attack and should be upgraded immediately.\n\nlibxml2 CVE-2022-23308\n* As of the time this security advisory was published, there is no officially\npublished information available about this CVE\u0027s severity. The above NIST link\ndoes not yet have a published record, and the libxml2 maintainer has declined\nto provide a severity score.\n* Fixed by https://gitlab.gnome.org/GNOME/libxml2/-/commit/652dd12\n* Further explanation is at https://mail.gnome.org/archives/xml/2022-February/msg00015.html\n\nThe upstream commit and the explanation linked above indicate that an application\nmay be vulnerable to a denial of service, memory disclosure, or code execution if\nit parses an untrusted document with parse options `DTDVALID` set to true, and `NOENT`\nset to false.\n\nAn analysis of these parse options:\n\n* While `NOENT` is off by default for Document, DocumentFragment, Reader, and\nSchema parsing, it is on by default for XSLT (stylesheet) parsing in Nokogiri\nv1.12.0 and later.\n* `DTDVALID` is an option that Nokogiri does not set for any operations, and so\nthis CVE applies only to applications setting this option explicitly.\n\nIt seems reasonable to assume that any application explicitly setting the parse\noption `DTDVALID` when parsing untrusted documents is vulnerable and should be\nupgraded immediately.\n",
"gem": "nokogiri",
"ghsa": "fq42-c5rg-92c2",
"patched_versions": [
"\u003e= 1.13.2"
],
"related": {
"cve": [
"2022-23308"
]
},
"title": "Update packaged libxml2 (2.9.12 \u2192 2.9.13) and libxslt (1.1.34 \u2192 1.1.35)",
"url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-fq42-c5rg-92c2"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c1.1.35",
"affected_versions": "All versions before 1.1.35",
"cvss_v2": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-416",
"CWE-937"
],
"date": "2022-10-27",
"description": "Use after free in Blink XSLT in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.",
"fixed_versions": [
"1.1.35"
],
"identifier": "CVE-2021-30560",
"identifiers": [
"CVE-2021-30560"
],
"not_impacted": "All versions starting from 1.1.35",
"package_slug": "conan/libxslt",
"pubdate": "2021-08-03",
"solution": "Upgrade to version 1.1.35 or above.",
"title": "Use After Free",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2021-30560",
"https://chromereleases.googleblog.com/2021/07/stable-channel-update-for-desktop.html",
"https://crbug.com/1219209"
],
"uuid": "4efa16aa-d829-4b6c-b073-d2d001f854df"
}
]
},
"nvd.nist.gov": {
"cve": {
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3B0BF7DD-0FAE-4761-B2CD-7D14E83A7B6F",
"versionEndExcluding": "91.0.4472.164",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:xmlsoft:libxslt:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7E7A28AB-D5DA-4F00-9795-4DA4951B4E75",
"versionEndExcluding": "1.1.35",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5722E753-75DE-4944-A11B-556CB299B57D",
"versionEndExcluding": "8.2.12",
"versionStartIncluding": "8.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DC0F9351-81A4-4FEA-B6B5-6E960A933D32",
"versionEndExcluding": "9.0.6",
"versionStartIncluding": "9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:splunk:universal_forwarder:9.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "EED24E67-2957-4C1B-8FEA-E2D2FE7B97FC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Use after free in Blink XSLT in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page."
},
{
"lang": "es",
"value": "Un uso de memoria previamente liberada en Blink XSLT en Google Chrome versiones anteriores a 91.0.4472.164, permit\u00eda a un atacante remoto explotar potencialmente una corrupci\u00f3n de la pila por medio de una p\u00e1gina HTML dise\u00f1ada"
}
],
"id": "CVE-2021-30560",
"lastModified": "2024-03-27T14:45:52.567",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-08-03T19:15:08.127",
"references": [
{
"source": "chrome-cve-admin@google.com",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://chromereleases.googleblog.com/2021/07/stable-channel-update-for-desktop.html"
},
{
"source": "chrome-cve-admin@google.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://crbug.com/1219209"
},
{
"source": "chrome-cve-admin@google.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00010.html"
},
{
"source": "chrome-cve-admin@google.com",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202310-23"
},
{
"source": "chrome-cve-admin@google.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2022/dsa-5216"
}
],
"sourceIdentifier": "chrome-cve-admin@google.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-416"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
}
}
}
Loading...
Loading...
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.