Описание
Nokogiri implementation of libxslt vulnerable to heap corruption
Type confusion in xsltNumberFormatGetMultipleLevel prior to libxslt 1.1.33 could allow attackers to potentially exploit heap corruption via crafted XML data.
Nokogiri prior to version 1.10.5 contains a vulnerable version of libxslt. Nokogiri version 1.10.5 upgrades the dependency to libxslt 1.1.34, which contains a patch for this issue.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2019-5815
- https://github.com/sparklemotion/nokogiri/issues/2630
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2019-5815.yml
- https://gitlab.gnome.org/GNOME/libxslt/commit/08b62c25871b38d5d573515ca8a065b4b8f64f6b
- https://lists.debian.org/debian-lts-announce/2022/09/msg00010.html
Пакеты
nokogiri
< 1.10.5
1.10.5
Связанные уязвимости
Type confusion in xsltNumberFormatGetMultipleLevel prior to libxslt 1.1.33 could allow attackers to potentially exploit heap corruption via crafted XML data.
Type confusion in xsltNumberFormatGetMultipleLevel prior to libxslt 1.1.33 could allow attackers to potentially exploit heap corruption via crafted XML data.
Type confusion in xsltNumberFormatGetMultipleLevel prior to libxslt 1.1.33 could allow attackers to potentially exploit heap corruption via crafted XML data.
Type confusion in xsltNumberFormatGetMultipleLevel prior to libxslt 1. ...
Уязвимость функции xsltNumberFormatGetMultipleLevel библиотеки для анализа XML-документов libxslt, связанная с доступом к ресурсу через несовместимые типы, позволяющая нарушителю вызвать отказ в обслуживании