Vulnerability Details : CVE-2019-5477
A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby's `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being called with unsafe user input as the filename. This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.
Products affected by CVE-2019-5477
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*
- cpe:2.3:a:nokogiri:nokogiri:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-5477
2.45%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 90 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-5477
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2019-5477
-
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.Assigned by:
- nvd@nist.gov (Primary)
- support@hackerone.com (Secondary)
References for CVE-2019-5477
-
https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html
[SECURITY] [DLA 3149-1] ruby-nokogiri security updateMailing List;Third Party Advisory
-
https://github.com/sparklemotion/nokogiri/issues/1915
CVE-2019-5477 - Nokogiri Command Injection Vulnerability · Issue #1915 · sparklemotion/nokogiri · GitHubPatch;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2022/10/msg00019.html
[SECURITY] [DLA 3150-1] rexical security updateMailing List;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2019/09/msg00027.html
[SECURITY] [DLA 1933-1] ruby-nokogiri security updateMailing List;Third Party Advisory
-
https://usn.ubuntu.com/4175-1/
USN-4175-1: Nokogiri vulnerability | Ubuntu security noticesThird Party Advisory
-
https://security.gentoo.org/glsa/202006-05
Nokogiri: Command injection (GLSA 202006-05) — Gentoo securityThird Party Advisory
-
https://hackerone.com/reports/650835
Sign inPermissions Required
-
https://github.com/tenderlove/rexical/blob/master/CHANGELOG.rdoc
rexical/CHANGELOG.rdoc at master · tenderlove/rexical · GitHubRelease Notes
Jump to