CVE-2019-5477

Name
CVE-2019-5477
Description
A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby's `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being called with unsafe user input as the filename. This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.
NVD Severity
high
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Permissions Required https://hackerone.com/reports/650835
Release Notes https://github.com/tenderlove/rexical/blob/master/CHANGELOG.rdoc
Patch https://github.com/sparklemotion/nokogiri/issues/1915
Mailing List https://lists.debian.org/debian-lts-announce/2019/09/msg00027.html
Third Party Advisory https://usn.ubuntu.com/4175-1/
Third Party Advisory https://security.gentoo.org/glsa/202006-05

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:nokogiri:nokogiri:*:*:*:*:*:*:*:* nokogiri >= None <= 1.10.3

Vulnerable and fixed packages

Source package Branch Version Maintainer Status