Description
Vulnerable Library - chromedriver-helper-2.1.1.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/nokogiri-1.10.8.gem
Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86
Vulnerabilities
| CVE | Severity |  CVSS |
Exploit Maturity | EPSS | Dependency | Type | Fixed in (chromedriver-helper version) | Remediation Possible** | Reachability |
|---|---|---|---|---|---|---|---|---|---|
| WS-2022-0089 |  High |
8.8 | Not Defined | nokogiri-1.10.8.gem | Transitive | N/A* | ❌ | ||
| CVE-2022-29181 | High |
8.2 | Not Defined | 0.4% | nokogiri-1.10.8.gem | Transitive | N/A* | ❌ | |
| CVE-2024-34459 | High |
7.5 | Not Defined | 0.0% | nokogiri-1.10.8.gem | Transitive | N/A* | ❌ | |
| CVE-2022-24836 | High |
7.5 | Not Defined | 2.4% | nokogiri-1.10.8.gem | Transitive | N/A* | ❌ | |
| CVE-2021-41098 | High |
7.5 | Not Defined | 0.1% | nokogiri-1.10.8.gem | Transitive | N/A* | ❌ | |
| CVE-2020-26247 |  Low |
2.6 | Not Defined | 0.2% | nokogiri-1.10.8.gem | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
WS-2022-0089
Vulnerable Library - nokogiri-1.10.8.gem
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.
Library home page: https://rubygems.org/gems/nokogiri-1.10.8.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/nokogiri-1.10.8.gem
Dependency Hierarchy:
- chromedriver-helper-2.1.1.gem (Root Library)
- ❌ nokogiri-1.10.8.gem (Vulnerable Library)
Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86
Found in base branch: main
Vulnerability Details
Nokogiri before version 1.13.2 is vulnerable.
Publish Date: 2024-12-05
URL: WS-2022-0089
Threat Assessment
Exploit Maturity: Not Defined
EPSS:
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-fq42-c5rg-92c2
Release Date: 2024-12-05
Fix Resolution: nokogiri - v1.13.2
CVE-2022-29181
Vulnerable Library - nokogiri-1.10.8.gem
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.
Library home page: https://rubygems.org/gems/nokogiri-1.10.8.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/nokogiri-1.10.8.gem
Dependency Hierarchy:
- chromedriver-helper-2.1.1.gem (Root Library)
- ❌ nokogiri-1.10.8.gem (Vulnerable Library)
Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86
Found in base branch: main
Vulnerability Details
Nokogiri is an open source XML and HTML library for Ruby. Nokogiri prior to version 1.13.6 does not type-check all inputs into the XML and HTML4 SAX parsers, allowing specially crafted untrusted inputs to cause illegal memory access errors (segfault) or reads from unrelated memory. Version 1.13.6 contains a patch for this issue. As a workaround, ensure the untrusted input is a String by calling #to_s or equivalent.
Publish Date: 2022-05-20
URL: CVE-2022-29181
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.4%
CVSS 3 Score Details (8.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29181
Release Date: 2022-05-20
Fix Resolution: nokogiri - 1.13.6
CVE-2024-34459
Vulnerable Library - nokogiri-1.10.8.gem
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.
Library home page: https://rubygems.org/gems/nokogiri-1.10.8.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/nokogiri-1.10.8.gem
Dependency Hierarchy:
- chromedriver-helper-2.1.1.gem (Root Library)
- ❌ nokogiri-1.10.8.gem (Vulnerable Library)
Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86
Found in base branch: main
Vulnerability Details
An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.
Mend Note: This vulnerability does not affect RubyGem's Nokogiri directly, but its dependency libxml2, which is downloaded during Nokogiri's depndency resolution.
Publish Date: 2024-05-13
URL: CVE-2024-34459
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.0%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-r95h-9x8f-r3f7
Release Date: 2024-05-14
Fix Resolution: libxml2-v2.11.8,v2.12.7, nokogiri - 1.16.5
CVE-2022-24836
Vulnerable Library - nokogiri-1.10.8.gem
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.
Library home page: https://rubygems.org/gems/nokogiri-1.10.8.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/nokogiri-1.10.8.gem
Dependency Hierarchy:
- chromedriver-helper-2.1.1.gem (Root Library)
- ❌ nokogiri-1.10.8.gem (Vulnerable Library)
Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86
Found in base branch: main
Vulnerability Details
Nokogiri is an open source XML and HTML library for Ruby. Nokogiri < v1.13.4 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Users are advised to upgrade to Nokogiri >= 1.13.4. There are no known workarounds for this issue.
Publish Date: 2022-04-11
URL: CVE-2022-24836
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 2.4%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-crjr-9rc5-ghw8
Release Date: 2022-04-11
Fix Resolution: nokogiri - 1.13.4
CVE-2021-41098
Vulnerable Library - nokogiri-1.10.8.gem
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.
Library home page: https://rubygems.org/gems/nokogiri-1.10.8.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/nokogiri-1.10.8.gem
Dependency Hierarchy:
- chromedriver-helper-2.1.1.gem (Root Library)
- ❌ nokogiri-1.10.8.gem (Vulnerable Library)
Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86
Found in base branch: main
Vulnerability Details
Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default. Users of Nokogiri on JRuby who parse untrusted documents using any of these classes are affected: Nokogiri::XML::SAX::Parse, Nokogiri::HTML4::SAX::Parser or its alias Nokogiri::HTML::SAX::Parser, Nokogiri::XML::SAX::PushParser, and Nokogiri::HTML4::SAX::PushParser or its alias Nokogiri::HTML::SAX::PushParser. JRuby users should upgrade to Nokogiri v1.12.5 or later to receive a patch for this issue. There are no workarounds available for v1.12.4 or earlier. CRuby users are not affected.
Publish Date: 2021-09-27
URL: CVE-2021-41098
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41098
Release Date: 2021-09-27
Fix Resolution: nokogiri - 1.12.5
CVE-2020-26247
Vulnerable Library - nokogiri-1.10.8.gem
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.
Library home page: https://rubygems.org/gems/nokogiri-1.10.8.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/nokogiri-1.10.8.gem
Dependency Hierarchy:
- chromedriver-helper-2.1.1.gem (Root Library)
- ❌ nokogiri-1.10.8.gem (Vulnerable Library)
Found in HEAD commit: 84d8c4c8d5cfac4705d302f9b44c063177f8ae86
Found in base branch: main
Vulnerability Details
Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible. This is fixed in Nokogiri version 1.11.0.rc4.
Publish Date: 2020-12-30
URL: CVE-2020-26247
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.2%
CVSS 3 Score Details (2.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2020-12-30
Fix Resolution: 1.11.0.rc4
Activity