WS-2022-0089 (High) detected in nokogiri-1.12.5.gem

Question

WS-2022-0089 (High) detected in nokogiri-1.12.5.gem

mend-bolt-for-github opened this issue 3 years ago · 0 comments

mend-bolt-for-github commented 3 years ago

WS-2022-0089 - High Severity Vulnerability

Vulnerable Library - nokogiri-1.12.5.gem

Nokogiri (鋸) makes it easy and painless to work with XML and HTML from Ruby. It provides a sensible, easy-to-understand API for reading, writing, modifying, and querying documents. It is fast and standards-compliant by relying on native parsers like libxml2 (C) and xerces (Java).

Library home page: https://rubygems.org/gems/nokogiri-1.12.5.gem

Dependency Hierarchy:

github-pages-175.gem (Root Library)
- jekyll-mentions-1.2.0.gem
  - html-pipeline-2.7.1.gem
    - ❌ nokogiri-1.12.5.gem (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Nokogiri before version 1.13.2 is vulnerable.

Publish Date: 2022-03-01

URL: WS-2022-0089

CVSS 3 Score Details (8.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-fq42-c5rg-92c2

Release Date: 2022-03-01

Fix Resolution: nokogiri - v1.13.2

Step up your Open Source Security Game with Mend here