wiseadvice_public_repos
/
bundle-audit-results
3
0
Fork 0
Code Wiki

commit by to_remotes 2025-04-23 14:12:25 +0200 from cicd

main
cicd 2025-04-23 14:12:25 +02:00
parent a157067539
commit e511b4efa1
3 changed files with 3 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
bundle-audit-time.txt
View File

@ -1 +1 @@
2025-04-23T13:34:50+02:00
2025-04-23T14:07:40+02:00

2
bundle-audit.json
View File

@ -1 +1 @@
{"version":"0.9.2","created_at":"2025-04-23 13:34:50 +0200","results":[{"type":"unpatched_gem","gem":{"name":"nokogiri","version":"1.18.5"},"advisory":{"path":"/home/wiseadvice/.local/share/ruby-advisory-db/gems/nokogiri/GHSA-5w6v-399v-w3cc.yml","id":"GHSA-5w6v-399v-w3cc","url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-5w6v-399v-w3cc","title":"Nokogiri updates packaged libxml2 to v2.13.8 to resolve CVE-2025-32414 and CVE-2025-32415","date":"2025-04-21","description":"## Summary\n\nNokogiri v1.18.8 upgrades its dependency libxml2 to\n[v2.13.8](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.8).\n\nlibxml2 v2.13.8 addresses:\n\n- CVE-2025-32414\n - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/889\n- CVE-2025-32415\n - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/890\n\n## Impact\n\n### CVE-2025-32414: No impact\n\nIn libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds\nmemory access can occur in the Python API (Python bindings) because\nof an incorrect return value. This occurs in xmlPythonFileRead and\nxmlPythonFileReadRaw because of a difference between bytes and characters.\n\n**There is no impact** from this CVE for Nokogiri users.\n\n### CVE-2025-32415: Low impact\n\nIn libxml2 before 2.13.8 and 2.14.x before 2.14.2,\nxmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer\nunder-read. To exploit this, a crafted XML document must be validated\nagainst an XML schema with certain identity constraints, or a\ncrafted XML schema must be used.\n\nIn the upstream issue, further context is provided by the maintainer:\n\n> The bug affects validation against untrusted XML Schemas (.xsd)\n> and validation of untrusted documents against trusted Schemas if\n> they make use of xsd:keyref in combination with recursively\n> defined types that have additional identity constraints.\n\nMITRE has published a severity score of 2.9 LOW\n(CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) for this CVE.\n","cvss_v2":null,"cvss_v3":null,"cve":null,"osvdb":null,"ghsa":"5w6v-399v-w3cc","unaffected_versions":[],"patched_versions":[">= 1.18.8"],"criticality":null}}]}
{"version":"0.9.2","created_at":"2025-04-23 14:07:39 +0200","results":[]}

10
report.txt
View File

@ -1,9 +1 @@
Name: nokogiri
Version: 1.18.5
GHSA: GHSA-5w6v-399v-w3cc
Criticality: Unknown
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-5w6v-399v-w3cc
Title: Nokogiri updates packaged libxml2 to v2.13.8 to resolve CVE-2025-32414 and CVE-2025-32415
Solution: update to '>= 1.18.8'
Vulnerabilities found!
No vulnerabilities found