CVE-2022-29181
Type Confusion vulnerability in nokogiri (RubyGems)
What is CVE-2022-29181 About?
This vulnerability is a Type Confusion issue in Nokogiri `< v1.13.6`, specifically affecting its XML and HTML4 SAX parsers for CRuby users. It results from improper type-checking of inputs, potentially leading to illegal memory access errors (segfaults) or reads from unrelated memory. Exploiting this could cause denial of service or information disclosure, and it requires specially crafted untrusted inputs.
Affected Software
Technical Details
Nokogiri versions prior to 1.13.6, when used with CRuby, suffer from a type confusion vulnerability in their XML and HTML4 SAX parsers. The parsers do not adequately perform type-checking on all inputs, expecting a String but potentially receiving other data types. When specially crafted untrusted input, which is not a String, is processed, it leads to a type mismatch. This mismatch can cause the parser to misinterpret memory structures, resulting in illegal memory access errors such as a segfault (Denial of Service) or reading from unintended memory locations (Information Disclosure). The mitigation involves ensuring inputs are explicitly cast to String.
What is the Impact of CVE-2022-29181?
Successful exploitation may allow attackers to cause a denial of service (application crash) or disclose sensitive information from memory by providing specially crafted input.
What is the Exploitability of CVE-2022-29181?
Exploitation of this vulnerability is of medium to high complexity, requiring an attacker to craft specific input that triggers the type confusion within Nokogiri's SAX parsers. There are no direct authentication or privilege requirements, as the vulnerability typically arises from parsing untrusted XML/HTML input directly. It is a remote vulnerability if the application processes attacker-controlled XML/HTML over the network. The special condition is that the target must be running CRuby and using a vulnerable version of Nokogiri, which fails to cast inputs to string. Risk factors include web applications that parse untrusted XML or HTML documents without proper input sanitization, especially if they are heavily exposed to external data.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-29181?
Available Upgrade Options
- nokogiri
- <1.13.6 → Upgrade to 1.13.6
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2022-29181
- https://support.apple.com/kb/HT213532
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2022-29181.yml
- https://support.apple.com/kb/HT213532
- https://github.com/sparklemotion/nokogiri
- https://osv.dev/vulnerability/GHSA-xh29-r2w5-wx8m
- https://securitylab.github.com/advisories/GHSL-2022-031_GHSL-2022-032_Nokogiri
- https://github.com/sparklemotion/nokogiri/commit/db05ba9a1bd4b90aa6c76742cf6102a7c7297267
- https://github.com/sparklemotion/nokogiri/commit/83cc451c3f29df397caa890afc3b714eae6ab8f7
- https://github.com/sparklemotion/nokogiri/commit/db05ba9a1bd4b90aa6c76742cf6102a7c7297267
What are Similar Vulnerabilities to CVE-2022-29181?
Similar Vulnerabilities: GHSA-mrxw-mxhj-p664 , CVE-2022-23307 , CVE-2022-23305 , CVE-2022-23302 , CVE-2021-3997
