ASA-2019-00523 – Rexical, Nokogiri: Command Injection Vulnerability


Allele Security Alert

ASA-2019-00523

Identifier(s)

ASA-2019-00523, CVE-2019-5477

Title

Command Injection Vulnerability

Vendor(s)

Aaron Patterson, Mike Dalessio

Aaron Patterson, Mike Dalessio, Yoko Harada, Timothy Elliott, John Shahid, Akinori MUSHA

Product(s)

Rexical

Nokogiri

Affected version(s)

Rexical gem versions v1.0.6 and earlier

Nokogiri gem versions 1.10.3 and earlier

Fixed version(s)

Rexical gem version v1.0.7

Nokogiri gem version 1.10.4

Proof of concept

Unknown

Description

A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess by Ruby’s Kernel.open method. Processes are vulnerable only if the undocumented method Nokogiri::CSS::Tokenizer#load_file is being passed untrusted user input.

This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries.

Technical details

Unknown

Workaround

Avoid calling the undocumented method Nokogiri::CSS::Tokenizer#load_file with untrusted user input.

Credits

Katsuhiko YOSHIDA

Reference(s)

Nokogiri security update v1.10.4
https://seclists.org/oss-sec/2019/q3/129

CVE-2019-5477 – Nokogiri Command Injection Vulnerability
https://github.com/sparklemotion/nokogiri/issues/1915

CHANGELOG.rdoc
https://github.com/tenderlove/rexical/blob/master/CHANGELOG.rdoc

CVE-2019-5477
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5477

CVE-2019-5477
https://nvd.nist.gov/vuln/detail/CVE-2019-5477

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: August 24, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.