Mageia Linux Local Security Checks : Mageia: Security Advisory (MGASA-2021-0063)

Anfälligkeitssuche		Suche in 324607 CVE Beschreibungen und 145615 Test Beschreibungen, Zugriff auf 10,000+ Quellverweise.
	Tests CVE Alle

Test Kennung: 1.3.6.1.4.1.25623.1.1.10.2021.0063

Kategorie: Mageia Linux Local Security Checks

Titel: Mageia: Security Advisory (MGASA-2021-0063)

Zusammenfassung: The remote host is missing an update for the 'ruby-nokogiri' package(s) announced via the MGASA-2021-0063 advisory.

Beschreibung: Summary:
The remote host is missing an update for the 'ruby-nokogiri' package(s) announced via the MGASA-2021-0063 advisory.

Vulnerability Insight:
A command injection vulnerability in Nokogiri v1.10.3 and earlier allows
commands to be executed in a subprocess via Ruby's `Kernel.open` method.
Processes are vulnerable only if the undocumented method
`Nokogiri::CSS::Tokenizer#load_file` is being called with unsafe user input as
the filename (CVE-2019-5477).

In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML
Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing
external resources to be accessed over the network, potentially enabling XXE or
SSRF attacks. This behavior is counter to the security policy followed by
Nokogiri maintainers, which is to treat all input as untrusted by default
whenever possible (CVE-2020-26247).

The ruby-nokogiri package has been updated to version 1.10.10 to fix
CVE-2019-5477 and patched to fix CVE-2020-26247.

Affected Software/OS:
'ruby-nokogiri' package(s) on Mageia 7.

Solution:
Please install the updated package(s).

CVSS Score:
7.5

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P

Querverweis: Common Vulnerability Exposure (CVE) ID: CVE-2019-5477
https://security.gentoo.org/glsa/202006-05
https://github.com/tenderlove/rexical/blob/master/CHANGELOG.rdoc
https://hackerone.com/reports/650835
https://lists.debian.org/debian-lts-announce/2019/09/msg00027.html
https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html
https://lists.debian.org/debian-lts-announce/2022/10/msg00019.html
https://usn.ubuntu.com/4175-1/
Common Vulnerability Exposure (CVE) ID: CVE-2020-26247
https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m
https://security.gentoo.org/glsa/202208-29
https://github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809cb2c3d97b
https://github.com/sparklemotion/nokogiri/releases/tag/v1.11.0.rc4
https://hackerone.com/reports/747489
https://rubygems.org/gems/nokogiri
https://lists.debian.org/debian-lts-announce/2021/06/msg00007.html

Copyright Copyright (C) 2022 Greenbone AG

Dies ist nur einer von 145615 Anfälligkeitstests in unserem Testpaket. Finden Sie mehr über unsere vollständigen Sicherheitsüberprüfungen heraus.
Um einen gratis Test für diese Anfälligkeit auf Ihrem System durchlaufen zu lassen, registrieren Sie sich bitte unten.

Test Kennung:	1.3.6.1.4.1.25623.1.1.10.2021.0063
Kategorie:	Mageia Linux Local Security Checks
Titel:	Mageia: Security Advisory (MGASA-2021-0063)
Zusammenfassung:	The remote host is missing an update for the 'ruby-nokogiri' package(s) announced via the MGASA-2021-0063 advisory.
Beschreibung:	Summary: The remote host is missing an update for the 'ruby-nokogiri' package(s) announced via the MGASA-2021-0063 advisory. Vulnerability Insight: A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby's `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being called with unsafe user input as the filename (CVE-2019-5477). In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible (CVE-2020-26247). The ruby-nokogiri package has been updated to version 1.10.10 to fix CVE-2019-5477 and patched to fix CVE-2020-26247. Affected Software/OS: 'ruby-nokogiri' package(s) on Mageia 7. Solution: Please install the updated package(s). CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Querverweis:	Common Vulnerability Exposure (CVE) ID: CVE-2019-5477 https://security.gentoo.org/glsa/202006-05 https://github.com/tenderlove/rexical/blob/master/CHANGELOG.rdoc https://hackerone.com/reports/650835 https://lists.debian.org/debian-lts-announce/2019/09/msg00027.html https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html https://lists.debian.org/debian-lts-announce/2022/10/msg00019.html https://usn.ubuntu.com/4175-1/ Common Vulnerability Exposure (CVE) ID: CVE-2020-26247 https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m https://security.gentoo.org/glsa/202208-29 https://github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809cb2c3d97b https://github.com/sparklemotion/nokogiri/releases/tag/v1.11.0.rc4 https://hackerone.com/reports/747489 https://rubygems.org/gems/nokogiri https://lists.debian.org/debian-lts-announce/2021/06/msg00007.html
Copyright	Copyright (C) 2022 Greenbone AG