github - GHSA-cr5j-953j-xw5p

GHSA-cr5j-953j-xw5p

Vulnerability from github

Published

2019-08-19 19:27

Modified

2023-08-28 14:05

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

Nokogiri Command Injection Vulnerability

Details

A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby's Kernel.open method. Processes are vulnerable only if the undocumented method Nokogiri::CSS::Tokenizer#load_file is being called with unsafe user input as the filename. This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "nokogiri"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.10.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "rexical"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-5477"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-78"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2019-08-19T19:26:57Z",
    "nvd_published_at": "2019-08-16T16:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby\u0027s `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being called with unsafe user input as the filename. This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.",
  "id": "GHSA-cr5j-953j-xw5p",
  "modified": "2023-08-28T14:05:24Z",
  "published": "2019-08-19T19:27:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5477"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sparklemotion/nokogiri/issues/1915"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sparklemotion/nokogiri/commit/5d30128343573a9428c86efc758ba2c66e9f12dc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tenderlove/rexical/commit/a652474dbc66be350055db3e8f9b3a7b3fd75926"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/650835"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2019-5477.yml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rexical/CVE-2019-5477.yml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sparklemotion/nokogiri"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tenderlove/rexical/blob/master/CHANGELOG.rdoc"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00027.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00019.html"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202006-05"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4175-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Nokogiri Command Injection Vulnerability"
}

gsd-2019-5477

Vulnerability from gsd

Modified

2019-08-11 00:00

Details

A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess by Ruby's `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being passed untrusted user input. This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4. Upgrade to Nokogiri v1.10.4, or avoid calling the undocumented method `Nokogiri::CSS::Tokenizer#load_file` with untrusted user input.

Aliases

CVE-2019-5477

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2019-5477",
    "description": "A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby\u0027s `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being called with unsafe user input as the filename. This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.",
    "id": "GSD-2019-5477",
    "references": [
      "https://www.suse.com/security/cve/CVE-2019-5477.html",
      "https://ubuntu.com/security/CVE-2019-5477",
      "https://advisories.mageia.org/CVE-2019-5477.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "affected": [
        {
          "package": {
            "ecosystem": "RubyGems",
            "name": "nokogiri",
            "purl": "pkg:gem/nokogiri"
          }
        }
      ],
      "aliases": [
        "CVE-2019-5477",
        "GHSA-cr5j-953j-xw5p"
      ],
      "details": "A command injection vulnerability in Nokogiri v1.10.3 and earlier allows\ncommands to be executed in a subprocess by Ruby\u0027s `Kernel.open` method.\nProcesses are vulnerable only if the undocumented method\n`Nokogiri::CSS::Tokenizer#load_file` is being passed untrusted user input.\n\nThis vulnerability appears in code generated by the Rexical gem versions\nv1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner\ncode for parsing CSS queries. The underlying vulnerability was addressed in\nRexical v1.0.7 and Nokogiri upgraded to this version of Rexical in\nNokogiri v1.10.4.\n\nUpgrade to Nokogiri v1.10.4, or avoid calling the undocumented method\n`Nokogiri::CSS::Tokenizer#load_file` with untrusted user input.\n",
      "id": "GSD-2019-5477",
      "modified": "2019-08-11T00:00:00.000Z",
      "published": "2019-08-11T00:00:00.000Z",
      "references": [
        {
          "type": "WEB",
          "url": "https://github.com/sparklemotion/nokogiri/issues/1915"
        },
        {
          "type": "WEB",
          "url": "https://github.com/tenderlove/rexical/commit/a652474dbc66be350055db3e8f9b3a7b3fd75926"
        },
        {
          "type": "WEB",
          "url": "https://groups.google.com/forum/#!msg/ruby-security-ann/YMnKFsASOAE/Fw3ocLI0BQAJ"
        }
      ],
      "schema_version": "1.4.0",
      "severity": [
        {
          "score": 7.5,
          "type": "CVSS_V2"
        },
        {
          "score": 9.8,
          "type": "CVSS_V3"
        }
      ],
      "summary": "Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "support@hackerone.com",
        "ID": "CVE-2019-5477",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Nokogiri (ruby gem)",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "Fixed in v1.10.4"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby\u0027s `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being called with unsafe user input as the filename. This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "OS Command Injection (CWE-78)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://hackerone.com/reports/650835",
            "refsource": "MISC",
            "url": "https://hackerone.com/reports/650835"
          },
          {
            "name": "https://github.com/tenderlove/rexical/blob/master/CHANGELOG.rdoc",
            "refsource": "MISC",
            "url": "https://github.com/tenderlove/rexical/blob/master/CHANGELOG.rdoc"
          },
          {
            "name": "https://github.com/sparklemotion/nokogiri/issues/1915",
            "refsource": "CONFIRM",
            "url": "https://github.com/sparklemotion/nokogiri/issues/1915"
          },
          {
            "name": "[debian-lts-announce] 20190926 [SECURITY] [DLA 1933-1] ruby-nokogiri security update",
            "refsource": "MLIST",
            "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00027.html"
          },
          {
            "name": "USN-4175-1",
            "refsource": "UBUNTU",
            "url": "https://usn.ubuntu.com/4175-1/"
          },
          {
            "name": "GLSA-202006-05",
            "refsource": "GENTOO",
            "url": "https://security.gentoo.org/glsa/202006-05"
          },
          {
            "name": "[debian-lts-announce] 20221012 [SECURITY] [DLA 3149-1] ruby-nokogiri security update",
            "refsource": "MLIST",
            "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html"
          },
          {
            "name": "[debian-lts-announce] 20221012 [SECURITY] [DLA 3150-1] rexical security update",
            "refsource": "MLIST",
            "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00019.html"
          }
        ]
      }
    },
    "github.com/rubysec/ruby-advisory-db": {
      "cve": "2019-5477",
      "cvss_v2": 7.5,
      "cvss_v3": 9.8,
      "date": "2019-08-11",
      "description": "A command injection vulnerability appears in code generated by the Rexical\ngem versions v1.0.6 and earlier. It allows commands to be executed in a\nsubprocess by Ruby\u0027s `Kernel.open` method.\n",
      "gem": "rexical",
      "ghsa": "cr5j-953j-xw5p",
      "patched_versions": [
        "\u003e= 1.0.7"
      ],
      "related": {
        "url": [
          "https://github.com/tenderlove/rexical/blob/master/CHANGELOG.rdoc#107--2019-08-06",
          "https://groups.google.com/forum/#!msg/ruby-security-ann/YMnKFsASOAE/Fw3ocLI0BQAJ"
        ]
      },
      "title": "Rexical Command Injection Vulnerability",
      "url": "https://github.com/tenderlove/rexical/commit/a652474dbc66be350055db3e8f9b3a7b3fd75926"
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c=1.10.3",
          "affected_versions": "All versions up to 1.10.3",
          "credit": "Katsuhiko YOSHIDA",
          "cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-78",
            "CWE-937"
          ],
          "date": "2019-09-26",
          "description": "A command injection vulnerability in Nokogiri allows commands to be executed in a subprocess via Ruby\u0027s `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being called with unsafe user input as the filename.",
          "fixed_versions": [
            "1.10.4"
          ],
          "identifier": "CVE-2019-5477",
          "identifiers": [
            "CVE-2019-5477"
          ],
          "not_impacted": "All versions after 1.10.3",
          "package_slug": "gem/nokogiri",
          "pubdate": "2019-08-16",
          "solution": "Upgrade to version 1.10.4 or above.",
          "title": "Command Injection",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2019-5477",
            "https://github.com/sparklemotion/nokogiri/issues/1915"
          ],
          "uuid": "7e9c16eb-d4ee-4c0a-a3b7-ed88f1ea7125"
        },
        {
          "affected_range": "\u003c1.0.7",
          "affected_versions": "All versions before 1.0.7",
          "cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-78",
            "CWE-937"
          ],
          "date": "2020-10-16",
          "description": "A command injection vulnerability in Nokogiri allows commands to be executed in a subprocess via Ruby\u0027s `Kernel.open` method.",
          "fixed_versions": [
            "1.0.7"
          ],
          "identifier": "CVE-2019-5477",
          "identifiers": [
            "CVE-2019-5477"
          ],
          "not_impacted": "All versions starting from 1.0.7",
          "package_slug": "gem/rexical",
          "pubdate": "2019-08-16",
          "solution": "Upgrade to version 1.0.7 or above.",
          "title": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2019-5477"
          ],
          "uuid": "36f8fc75-da5e-40e9-9bb3-15b423fc85f3"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:nokogiri:nokogiri:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "1.10.3",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve-assignments@hackerone.com",
          "ID": "CVE-2019-5477"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby\u0027s `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being called with unsafe user input as the filename. This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-78"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://hackerone.com/reports/650835",
              "refsource": "MISC",
              "tags": [
                "Permissions Required"
              ],
              "url": "https://hackerone.com/reports/650835"
            },
            {
              "name": "https://github.com/tenderlove/rexical/blob/master/CHANGELOG.rdoc",
              "refsource": "MISC",
              "tags": [
                "Release Notes"
              ],
              "url": "https://github.com/tenderlove/rexical/blob/master/CHANGELOG.rdoc"
            },
            {
              "name": "https://github.com/sparklemotion/nokogiri/issues/1915",
              "refsource": "CONFIRM",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/sparklemotion/nokogiri/issues/1915"
            },
            {
              "name": "[debian-lts-announce] 20190926 [SECURITY] [DLA 1933-1] ruby-nokogiri security update",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00027.html"
            },
            {
              "name": "USN-4175-1",
              "refsource": "UBUNTU",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://usn.ubuntu.com/4175-1/"
            },
            {
              "name": "GLSA-202006-05",
              "refsource": "GENTOO",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://security.gentoo.org/glsa/202006-05"
            },
            {
              "name": "[debian-lts-announce] 20221012 [SECURITY] [DLA 3149-1] ruby-nokogiri security update",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html"
            },
            {
              "name": "[debian-lts-announce] 20221012 [SECURITY] [DLA 3150-1] rexical security update",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00019.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2022-10-14T18:46Z",
      "publishedDate": "2019-08-16T16:15Z"
    }
  }
}

cve-2019-5477

Vulnerability from cvelistv5

Published

2019-08-16 00:00

Modified

2024-08-04 19:54

Severity ?

Summary

A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby's `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being called with unsafe user input as the filename. This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.

References

▼	URL	Tags
	https://hackerone.com/reports/650835
	https://github.com/tenderlove/rexical/blob/master/CHANGELOG.rdoc
	https://github.com/sparklemotion/nokogiri/issues/1915
	https://lists.debian.org/debian-lts-announce/2019/09/msg00027.html	mailing-list
	https://usn.ubuntu.com/4175-1/	vendor-advisory
	https://security.gentoo.org/glsa/202006-05	vendor-advisory
	https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html	mailing-list
	https://lists.debian.org/debian-lts-announce/2022/10/msg00019.html	mailing-list

Impacted products

Vendor

Product

Version

▼

n/a

Nokogiri (ruby gem)

Version: Fixed in v1.10.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T19:54:53.581Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://hackerone.com/reports/650835"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/tenderlove/rexical/blob/master/CHANGELOG.rdoc"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/sparklemotion/nokogiri/issues/1915"
          },
          {
            "name": "[debian-lts-announce] 20190926 [SECURITY] [DLA 1933-1] ruby-nokogiri security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00027.html"
          },
          {
            "name": "USN-4175-1",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/4175-1/"
          },
          {
            "name": "GLSA-202006-05",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202006-05"
          },
          {
            "name": "[debian-lts-announce] 20221012 [SECURITY] [DLA 3149-1] ruby-nokogiri security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html"
          },
          {
            "name": "[debian-lts-announce] 20221012 [SECURITY] [DLA 3150-1] rexical security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00019.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Nokogiri (ruby gem)",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Fixed in v1.10.4"
            }
          ]
        }
      ],
      "datePublic": "2019-07-20T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby\u0027s `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being called with unsafe user input as the filename. This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "OS Command Injection (CWE-78)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-10-12T00:00:00",
        "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "shortName": "hackerone"
      },
      "references": [
        {
          "url": "https://hackerone.com/reports/650835"
        },
        {
          "url": "https://github.com/tenderlove/rexical/blob/master/CHANGELOG.rdoc"
        },
        {
          "url": "https://github.com/sparklemotion/nokogiri/issues/1915"
        },
        {
          "name": "[debian-lts-announce] 20190926 [SECURITY] [DLA 1933-1] ruby-nokogiri security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00027.html"
        },
        {
          "name": "USN-4175-1",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://usn.ubuntu.com/4175-1/"
        },
        {
          "name": "GLSA-202006-05",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.gentoo.org/glsa/202006-05"
        },
        {
          "name": "[debian-lts-announce] 20221012 [SECURITY] [DLA 3149-1] ruby-nokogiri security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html"
        },
        {
          "name": "[debian-lts-announce] 20221012 [SECURITY] [DLA 3150-1] rexical security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00019.html"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
    "assignerShortName": "hackerone",
    "cveId": "CVE-2019-5477",
    "datePublished": "2019-08-16T00:00:00",
    "dateReserved": "2019-01-04T00:00:00",
    "dateUpdated": "2024-08-04T19:54:53.581Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

GHSA-cr5j-953j-xw5p

Vulnerability from github

gsd-2019-5477

Vulnerability from gsd

cve-2019-5477

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature