CVE-2019-5477
CRITICALNokogiri < 1.10.4 - OS Command Injection via Nokogiri::CSS::Tokenizer#load_file
Title source: llmDescription
A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby's `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being called with unsafe user input as the filename. This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.
References (8)
Core 8
Core References
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2019/09/msg00027.html
Third Party Advisory vendor-advisory
https://usn.ubuntu.com/4175-1/
Third Party Advisory vendor-advisory
https://security.gentoo.org/glsa/202006-05
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2022/10/msg00019.html
Patch, Third Party Advisory
https://github.com/sparklemotion/nokogiri/issues/1915
Permissions Required
https://hackerone.com/reports/650835
Scores
CVSS v3
9.8
EPSS
0.0832
EPSS Percentile
92.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-78
Status
published
Products (9)
canonical/ubuntu_linux
16.04
canonical/ubuntu_linux
18.04
canonical/ubuntu_linux
19.04
canonical/ubuntu_linux
19.10
debian/debian_linux
8.0
debian/debian_linux
10.0
nokogiri/nokogiri
< 1.10.3
rubygems/nokogiri
0 - 1.10.4RubyGems
rubygems/rexical
0 - 1.0.7RubyGems
Published
Aug 16, 2019
Tracked Since
Feb 18, 2026