diff --git a/bundle-audit-time.txt b/bundle-audit-time.txt index 46c92b3..69b9c97 100644 --- a/bundle-audit-time.txt +++ b/bundle-audit-time.txt @@ -1 +1 @@ -2025-04-16T14:37:53+02:00 +2025-04-23T12:43:21+02:00 diff --git a/bundle-audit.json b/bundle-audit.json index e4ce411..3b4b05c 100644 --- a/bundle-audit.json +++ b/bundle-audit.json @@ -1 +1 @@ -{"version":"0.9.2","created_at":"2025-04-16 14:37:53 +0200","results":[]} \ No newline at end of file +{"version":"0.9.2","created_at":"2025-04-23 12:43:21 +0200","results":[{"type":"unpatched_gem","gem":{"name":"nokogiri","version":"1.18.5"},"advisory":{"path":"/home/wiseadvice/.local/share/ruby-advisory-db/gems/nokogiri/GHSA-5w6v-399v-w3cc.yml","id":"GHSA-5w6v-399v-w3cc","url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-5w6v-399v-w3cc","title":"Nokogiri updates packaged libxml2 to v2.13.8 to resolve CVE-2025-32414 and CVE-2025-32415","date":"2025-04-21","description":"## Summary\n\nNokogiri v1.18.8 upgrades its dependency libxml2 to\n[v2.13.8](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.8).\n\nlibxml2 v2.13.8 addresses:\n\n- CVE-2025-32414\n - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/889\n- CVE-2025-32415\n - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/890\n\n## Impact\n\n### CVE-2025-32414: No impact\n\nIn libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds\nmemory access can occur in the Python API (Python bindings) because\nof an incorrect return value. This occurs in xmlPythonFileRead and\nxmlPythonFileReadRaw because of a difference between bytes and characters.\n\n**There is no impact** from this CVE for Nokogiri users.\n\n### CVE-2025-32415: Low impact\n\nIn libxml2 before 2.13.8 and 2.14.x before 2.14.2,\nxmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer\nunder-read. To exploit this, a crafted XML document must be validated\nagainst an XML schema with certain identity constraints, or a\ncrafted XML schema must be used.\n\nIn the upstream issue, further context is provided by the maintainer:\n\n> The bug affects validation against untrusted XML Schemas (.xsd)\n> and validation of untrusted documents against trusted Schemas if\n> they make use of xsd:keyref in combination with recursively\n> defined types that have additional identity constraints.\n\nMITRE has published a severity score of 2.9 LOW\n(CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) for this CVE.\n","cvss_v2":null,"cvss_v3":null,"cve":null,"osvdb":null,"ghsa":"5w6v-399v-w3cc","unaffected_versions":[],"patched_versions":[">= 1.18.8"],"criticality":null}}]} \ No newline at end of file diff --git a/report.txt b/report.txt index 8900c02..439d084 100644 --- a/report.txt +++ b/report.txt @@ -1 +1,9 @@ -No vulnerabilities found +Name: nokogiri +Version: 1.18.5 +GHSA: GHSA-5w6v-399v-w3cc +Criticality: Unknown +URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-5w6v-399v-w3cc +Title: Nokogiri updates packaged libxml2 to v2.13.8 to resolve CVE-2025-32414 and CVE-2025-32415 +Solution: update to '>= 1.18.8' + +Vulnerabilities found! diff --git a/update-info.txt b/update-info.txt index 4ee2557..6d0f177 100644 --- a/update-info.txt +++ b/update-info.txt @@ -1,7 +1,11 @@ Updating ruby-advisory-db ... -Already up to date. +Updating 205de18..3e4a2ea +Fast-forward + gems/nokogiri/GHSA-5w6v-399v-w3cc.yml | 60 +++++++++++++++++++++++++++++++++++ + 1 file changed, 60 insertions(+) + create mode 100644 gems/nokogiri/GHSA-5w6v-399v-w3cc.yml Updated ruby-advisory-db ruby-advisory-db: - advisories: 976 advisories - last updated: 2025-04-15 20:17:20 -0700 - commit: 205de184462e410381a0bc6bf568f319f8b40eda + advisories: 977 advisories + last updated: 2025-04-22 09:44:25 -0700 + commit: 3e4a2ea4efeab33021312586c1c42f9d04d397a0