Allele Security Alert
ASA-2019-00523
Identifier(s)
ASA-2019-00523, CVE-2019-5477
Title
Command Injection Vulnerability
Vendor(s)
Aaron Patterson, Mike Dalessio
Aaron Patterson, Mike Dalessio, Yoko Harada, Timothy Elliott, John Shahid, Akinori MUSHA
Product(s)
Rexical
Nokogiri
Affected version(s)
Rexical gem versions v1.0.6 and earlier
Nokogiri gem versions 1.10.3 and earlier
Fixed version(s)
Rexical gem version v1.0.7
Nokogiri gem version 1.10.4
Proof of concept
Unknown
Description
A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess by Ruby’s Kernel.open method. Processes are vulnerable only if the undocumented method Nokogiri::CSS::Tokenizer#load_file is being passed untrusted user input.
This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries.
Technical details
Unknown
Workaround
Avoid calling the undocumented method Nokogiri::CSS::Tokenizer#load_file with untrusted user input.
Credits
Katsuhiko YOSHIDA
Reference(s)
Nokogiri security update v1.10.4
https://seclists.org/oss-sec/2019/q3/129
CVE-2019-5477 – Nokogiri Command Injection Vulnerability
https://github.com/sparklemotion/nokogiri/issues/1915
CHANGELOG.rdoc
https://github.com/tenderlove/rexical/blob/master/CHANGELOG.rdoc
CVE-2019-5477
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5477
CVE-2019-5477
https://nvd.nist.gov/vuln/detail/CVE-2019-5477
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: August 24, 2019