Mageia Linux Local Security Checks : Mageia: Security Advisory (MGASA-2021-0063)

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 145615 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.1.10.2021.0063

Categoría: Mageia Linux Local Security Checks

Título: Mageia: Security Advisory (MGASA-2021-0063)

Resumen: The remote host is missing an update for the 'ruby-nokogiri' package(s) announced via the MGASA-2021-0063 advisory.

Descripción: Summary:
The remote host is missing an update for the 'ruby-nokogiri' package(s) announced via the MGASA-2021-0063 advisory.

Vulnerability Insight:
A command injection vulnerability in Nokogiri v1.10.3 and earlier allows
commands to be executed in a subprocess via Ruby's `Kernel.open` method.
Processes are vulnerable only if the undocumented method
`Nokogiri::CSS::Tokenizer#load_file` is being called with unsafe user input as
the filename (CVE-2019-5477).

In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML
Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing
external resources to be accessed over the network, potentially enabling XXE or
SSRF attacks. This behavior is counter to the security policy followed by
Nokogiri maintainers, which is to treat all input as untrusted by default
whenever possible (CVE-2020-26247).

The ruby-nokogiri package has been updated to version 1.10.10 to fix
CVE-2019-5477 and patched to fix CVE-2020-26247.

Affected Software/OS:
'ruby-nokogiri' package(s) on Mageia 7.

Solution:
Please install the updated package(s).

CVSS Score:
7.5

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2019-5477
https://security.gentoo.org/glsa/202006-05
https://github.com/tenderlove/rexical/blob/master/CHANGELOG.rdoc
https://hackerone.com/reports/650835
https://lists.debian.org/debian-lts-announce/2019/09/msg00027.html
https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html
https://lists.debian.org/debian-lts-announce/2022/10/msg00019.html
https://usn.ubuntu.com/4175-1/
Common Vulnerability Exposure (CVE) ID: CVE-2020-26247
https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m
https://security.gentoo.org/glsa/202208-29
https://github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809cb2c3d97b
https://github.com/sparklemotion/nokogiri/releases/tag/v1.11.0.rc4
https://hackerone.com/reports/747489
https://rubygems.org/gems/nokogiri
https://lists.debian.org/debian-lts-announce/2021/06/msg00007.html

Copyright Copyright (C) 2022 Greenbone AG

Esta es sólo una de 145615 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.1.10.2021.0063
Categoría:	Mageia Linux Local Security Checks
Título:	Mageia: Security Advisory (MGASA-2021-0063)
Resumen:	The remote host is missing an update for the 'ruby-nokogiri' package(s) announced via the MGASA-2021-0063 advisory.
Descripción:	Summary: The remote host is missing an update for the 'ruby-nokogiri' package(s) announced via the MGASA-2021-0063 advisory. Vulnerability Insight: A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby's `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being called with unsafe user input as the filename (CVE-2019-5477). In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible (CVE-2020-26247). The ruby-nokogiri package has been updated to version 1.10.10 to fix CVE-2019-5477 and patched to fix CVE-2020-26247. Affected Software/OS: 'ruby-nokogiri' package(s) on Mageia 7. Solution: Please install the updated package(s). CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2019-5477 https://security.gentoo.org/glsa/202006-05 https://github.com/tenderlove/rexical/blob/master/CHANGELOG.rdoc https://hackerone.com/reports/650835 https://lists.debian.org/debian-lts-announce/2019/09/msg00027.html https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html https://lists.debian.org/debian-lts-announce/2022/10/msg00019.html https://usn.ubuntu.com/4175-1/ Common Vulnerability Exposure (CVE) ID: CVE-2020-26247 https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m https://security.gentoo.org/glsa/202208-29 https://github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809cb2c3d97b https://github.com/sparklemotion/nokogiri/releases/tag/v1.11.0.rc4 https://hackerone.com/reports/747489 https://rubygems.org/gems/nokogiri https://lists.debian.org/debian-lts-announce/2021/06/msg00007.html
Copyright	Copyright (C) 2022 Greenbone AG