bundle-audit-results/bundle-audit.json

{"version":"0.9.1","created_at":"2024-02-06 12:07:25 +0100","results":[{"type":"unpatched_gem","gem":{"name":"nokogiri","version":"1.16.0"},"advisory":{"path":"/home/wiseadvice/.local/share/ruby-advisory-db/gems/nokogiri/GHSA-xc9x-jj77-9p9j.yml","id":"GHSA-xc9x-jj77-9p9j","url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xc9x-jj77-9p9j","title":"Improper Handling of Unexpected Data Type in Nokogiri","date":"2024-02-04","description":"### Summary\n\nNokogiri v1.16.2 upgrades the version of its dependency libxml2 to v2.12.5.\n\nlibxml2 v2.12.5 addresses the following vulnerability:\n\nCVE-2024-25062 / https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25062\ndescribed at https://gitlab.gnome.org/GNOME/libxml2/-/issues/604\npatched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970\n\nPlease note that this advisory only applies to the CRuby implementation of\nNokogiri < 1.16.2, and only if the packaged libraries are being used. If\nyou've overridden defaults at installation time to use system libraries\ninstead of packaged libraries, you should instead pay attention to your\ndistro's libxml2 release announcements.\n\n### Severity\n\nThe Nokogiri maintainers have evaluated this as **Moderate**.\n\n### Mitigation\n\nUpgrade to Nokogiri >= 1.16.2.\n\nUsers who are unable to upgrade Nokogiri may also choose a more complicated\nmitigation: compile and link Nokogiri against external libraries libxml2 >=\n2.12.5 which will also address these same issues.\n\nJRuby users are not affected.\n\n### Workarounds\n","cvss_v2":null,"cvss_v3":null,"cve":null,"osvdb":null,"ghsa":"xc9x-jj77-9p9j","unaffected_versions":[],"patched_versions":[">= 1.16.2"],"criticality":null}}]}