wiseadvice_public_repos
/
bundle-audit-results
3
0
Fork 0
Code Wiki

commit by to_remotes 2025-07-23 13:45:24 +0200 from cicd

main
cicd 2025-07-23 13:45:24 +02:00
parent 48085a050a
commit a3e9e89833
4 changed files with 4 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
bundle-audit-time.txt
View File

@ -1 +1 @@
2025-07-23T13:44:43+02:00
2025-07-23T13:45:24+02:00

2
bundle-audit.json
View File

@ -1 +1 @@
{"version":"0.9.2","created_at":"2025-07-23 13:44:43 +0200","results":[{"type":"unpatched_gem","gem":{"name":"nokogiri","version":"1.18.8"},"advisory":{"path":"/home/wiseadvice/.local/share/ruby-advisory-db/gems/nokogiri/GHSA-353f-x4gh-cqq8.yml","id":"GHSA-353f-x4gh-cqq8","url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-353f-x4gh-cqq8","title":"Nokogiri patches vendored libxml2 to resolve multiple CVEs","date":"2025-07-21","description":"## Summary\n\nNokogiri v1.18.9 patches the vendored libxml2 to address\nCVE-2025-6021, CVE-2025-6170, CVE-2025-49794, CVE-2025-49795,\nand CVE-2025-49796.\n\n## Impact and severity\n\n### CVE-2025-6021\n\nA flaw was found in libxml2's xmlBuildQName function, where integer\noverflows in buffer size calculations can lead to a stack-based\nbuffer overflow. This issue can result in memory corruption or a\ndenial of service when processing crafted input.\n\nNVD claims a severity of 7.5 High\n(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\nFixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/17d950ae\n\n### CVE-2025-6170\n\nA flaw was found in the interactive shell of the xmllint command-line\ntool, used for parsing XML files. When a user inputs an overly long\ncommand, the program does not check the input size properly, which\ncan cause it to crash. This issue might allow attackers to run\nharmful code in rare configurations without modern protections.\n\nNVD claims a severity of 2.5 Low\n(CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\nFixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/5e9ec5c1\n\n### CVE-2025-49794\n\nA use-after-free vulnerability was found in libxml2. This issue\noccurs when parsing XPath elements under certain circumstances when\nthe XML schematron has the <sch:name path=\"...\"/> schema elements.\nThis flaw allows a malicious actor to craft a malicious XML document\nused as input for libxml, resulting in the program's crash using\nlibxml or other possible undefined behaviors.\n\nNVD claims a severity of 9.1 Critical\n(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H)\n\nFixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/81cef8c5\n\n### CVE-2025-49795\n\nA NULL pointer dereference vulnerability was found in libxml2 when\nprocessing XPath XML expressions. This flaw allows an attacker to\ncraft a malicious XML input to libxml2, leading to a denial of service.\n\nNVD claims a severity of 7.5 High\n(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\nFixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/62048278\n\n### CVE-2025-49796\n\nA vulnerability was found in libxml2. Processing certain sch:name\nelements from the input XML file can trigger a memory corruption\nissue. This flaw allows an attacker to craft a malicious XML input\nfile that can lead libxml to crash, resulting in a denial of service\nor other possible undefined behavior due to sensitive data being\ncorrupted in memory.\n\nNVD claims a severity of 9.1 Critical\n(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H)\n\nFixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/81cef8c5\n\n## Affected Versions\n\n- Nokogiri < 1.18.9 when using CRuby (MRI) with vendored libxml2\n\n## Patched Versions\n\n- Nokogiri >= 1.18.9\n\n## Mitigation\n\nUpgrade to Nokogiri v1.18.9 or later.\n\nUsers who are unable to upgrade Nokogiri may also choose a more\ncomplicated mitigation: compile and link Nokogiri against patched\nexternal libxml2 libraries which will also address these same issues.\n","cvss_v2":null,"cvss_v3":null,"cve":null,"osvdb":null,"ghsa":"353f-x4gh-cqq8","unaffected_versions":[],"patched_versions":[">= 1.18.9"],"criticality":null}},{"type":"unpatched_gem","gem":{"name":"thor","version":"1.3.2"},"advisory":{"path":"/home/wiseadvice/.local/share/ruby-advisory-db/gems/thor/CVE-2025-54314.yml","id":"CVE-2025-54314","url":"https://github.com/advisories/GHSA-mqcp-p2hv-vw6x","title":"Thor can construct an unsafe shell command from library input.","date":"2025-07-20","description":"Thor before 1.4.0 can construct an unsafe shell command\nfrom library input.\n","cvss_v2":null,"cvss_v3":2.8,"cve":"2025-54314","osvdb":null,"ghsa":"mqcp-p2hv-vw6x","unaffected_versions":[],"patched_versions":[">= 1.4.0"],"criticality":"low"}}]}
{"version":"0.9.2","created_at":"2025-07-23 13:45:24 +0200","results":[]}

19
report.txt
View File

@ -1,18 +1 @@
Name: nokogiri
Version: 1.18.8
GHSA: GHSA-353f-x4gh-cqq8
Criticality: Unknown
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-353f-x4gh-cqq8
Title: Nokogiri patches vendored libxml2 to resolve multiple CVEs
Solution: update to '>= 1.18.9'
Name: thor
Version: 1.3.2
CVE: CVE-2025-54314
GHSA: GHSA-mqcp-p2hv-vw6x
Criticality: Low
URL: https://github.com/advisories/GHSA-mqcp-p2hv-vw6x
Title: Thor can construct an unsafe shell command from library input.
Solution: update to '>= 1.4.0'
Vulnerabilities found!
No vulnerabilities found

9
update-info.txt
View File

@ -1,12 +1,5 @@
Updating ruby-advisory-db ...
Updating 6434583..0340343
Fast-forward
gems/jquery-ui-rails/CVE-2022-31160.yml | 2 +-
gems/nokogiri/GHSA-353f-x4gh-cqq8.yml | 106 ++++++++++++++++++++++++++++++++
gems/thor/CVE-2025-54314.yml | 21 +++++++
3 files changed, 128 insertions(+), 1 deletion(-)
create mode 100644 gems/nokogiri/GHSA-353f-x4gh-cqq8.yml
create mode 100644 gems/thor/CVE-2025-54314.yml
Already up to date.
Updated ruby-advisory-db
ruby-advisory-db:
advisories: 996 advisories