Nokogiri: CVE-2019-5477 - Nokogiri Command Injection Vulnerability

Created on 20 Jul 2019  路  4Comments  路  Source: sparklemotion/nokogiri

CVE-2019-5477 - Nokogiri Command Injection Vulnerability

This issue has been created for public disclosure of a Command Injection vulnerability that was responsibly reported by @kyoshidajp (Katsuhiko YOSHIDA).

I'd like to thank HackerOne for providing a secure, responsible mechanism for reporting, and for providing their fantastic service to the Nokogiri maintainers.

Severity

Nokogiri maintainers have evaluated this as High (CVSS3 8.1)

Description

A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess by Ruby's Kernel.open method. Processes are vulnerable only if the undocumented method Nokogiri::CSS::Tokenizer#load_file is being passed untrusted user input.

This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.

Affected Versions

Nokogiri < v1.10.4

Mitigation

Upgrade to Nokogiri v1.10.4, or avoid calling the undocumented method Nokogiri::CSS::Tokenizer#load_file with untrusted user input.

Further Mitigating Actions Taken

This vulnerability could have been easily detected using Rubocop's Security cop, and so the Security cop has been introduced into the test suite. If for any reason Rubocop flags something as "insecure" in the future, that will fail the test suite and block release.

References


History of this public disclosure

  • 2019-07-20T19:42+00:00: empty issue-of-record created, all information is embargoed
  • 2019-08-11T19:28+00:00: embargo ends, full information made available
topisecurity

Most helpful comment

@greysteil We (HackerOne) submitted it to MITRE for publication this morning (we normally only do this once a week, unless specifically asked to do it sooner). Once they process it, should be all live.

All 4 comments

Checklist:

  • [x] push commits to v1.10.x branch
  • [x] watch nokogiri-v1.10.x pipeline go green
  • [x] release v1.10.4
  • [x] update this issue with full details
  • [x] apply those commits to master

v1.10.4 has been released addressing this vulnerability.

@flavorjones thanks for all your work on this and everything else you do.

I'm on the security team at GitHub these days, and noticed that this didn't come through to our advisory curation team via the NVD feed, even though you've got a CVE for it. It looks like that's because the CVE has been assigned but not published.

Would you mind prodding HackerOne to mark this as published, now that it's been publicly disclosed? We're also planning to make it easy to get CVEs through GitHub itself and have the publishing process for them automated, so hopefully we can help more here in future.

@greysteil We (HackerOne) submitted it to MITRE for publication this morning (we normally only do this once a week, unless specifically asked to do it sooner). Once they process it, should be all live.

Was this page helpful?
0 / 5 - 0 ratings