CVE-2019-5477

Published: Aug 16, 2019Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby's `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being called with unsafe user input as the filename. This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.

Affected (7)

Products: Nokogiri: Nokogiri · Canonical: Ubuntu Linux · Debian: Debian Linux

1 product

1 product

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Nokogiri Nokogiri	Up to 1.10.3

Configuration B

4 vulnerable

Vulnerable Software	Affected Versions
Canonical Ubuntu Linux	Version 16.04
Canonical Ubuntu Linux	Version 18.04
Canonical Ubuntu Linux	Version 19.04
Canonical Ubuntu Linux	Version 19.10

Configuration C

2 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 10.0
Debian Debian Linux	Version 8.0

Related CWEs

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (16)

https://github.com/sparklemotion/nokogiri/issues/1915

Source: support@hackerone.com

PatchThird Party Advisory

https://github.com/tenderlove/rexical/blob/master/CHANGELOG.rdoc

Source: support@hackerone.com

Release Notes

https://hackerone.com/reports/650835

Source: support@hackerone.com

Permissions Required

https://lists.debian.org/debian-lts-announce/2019/09/msg00027.html

Source: support@hackerone.com

Mailing ListThird Party Advisory

https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html

Source: support@hackerone.com

Mailing ListThird Party Advisory

https://lists.debian.org/debian-lts-announce/2022/10/msg00019.html

Source: support@hackerone.com

Mailing ListThird Party Advisory

https://security.gentoo.org/glsa/202006-05

Source: support@hackerone.com

Third Party Advisory

https://usn.ubuntu.com/4175-1/

Source: support@hackerone.com

Third Party Advisory

https://github.com/sparklemotion/nokogiri/issues/1915

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/tenderlove/rexical/blob/master/CHANGELOG.rdoc

Source: af854a3a-2127-422b-91ae-364da2661108

Release Notes

https://hackerone.com/reports/650835

Source: af854a3a-2127-422b-91ae-364da2661108

Permissions Required

https://lists.debian.org/debian-lts-announce/2019/09/msg00027.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://lists.debian.org/debian-lts-announce/2022/10/msg00019.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://security.gentoo.org/glsa/202006-05

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://usn.ubuntu.com/4175-1/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.