Skip to content

Nokogiri updates packaged libxml2 to v2.12.7 to resolve CVE-2024-34459

Low severity GitHub Reviewed Published May 13, 2024 in sparklemotion/nokogiri • Updated May 16, 2024

Package

bundler nokogiri (RubyGems)

Affected versions

< 1.16.5

Patched versions

1.16.5

Description

Summary

Nokogiri v1.16.5 upgrades its dependency libxml2 to 2.12.7 from 2.12.6.

libxml2 v2.12.7 addresses CVE-2024-34459:

Impact

There is no impact to Nokogiri users because the issue is present only in libxml2's xmllint tool which Nokogiri does not provide or expose.

Timeline

  • 2024-05-13 05:57 EDT, libxml2 2.12.7 release is announced
  • 2024-05-13 08:30 EDT, nokogiri maintainers begin triage
  • 2024-05-13 10:05 EDT, nokogiri v1.16.5 is released and this GHSA made public

References

@flavorjones flavorjones published to sparklemotion/nokogiri May 13, 2024
Published to the GitHub Advisory Database May 13, 2024
Reviewed May 13, 2024
Last updated May 16, 2024

Severity

Low

EPSS score

Weaknesses

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow. Learn more on MITRE.

CVE ID

No known CVE

GHSA ID

GHSA-r95h-9x8f-r3f7

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.