5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-13117

GHSA ID

GHSA-4hm9-844j-jmxp

EPSS Score

0.88625%

CWE

CWE-908

Published

5/24/2022

Updated

6/9/2023

KEV Status

Technology

Ruby

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-13117

CVE-2019-13117: Uninitialized read in Nokogiri gem

In numbers.c in libxslt 1.1.33, an xsl:number with certain format strings could lead to a uninitialized read in xsltNumberFormatInsertNumbers. This could allow an attacker to discern whether a byte on the stack contains the characters A, a, I, i, or 0, or any other character.

(GitHub Advisory)

5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-13117

GHSA ID

GHSA-4hm9-844j-jmxp

EPSS Score

0.88625%

CWE

CWE-908

Published

5/24/2022

Updated

6/9/2023

KEV Status

Technology

Ruby

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
nokogiri	rubygems	< 1.10.5	1.10.5

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The CVE description and libxslt commit c5eb6cf explicitly modify xsltNumberFormatInsertNumbers to add NULL checks, indicating this function contained an uninitialized read vulnerability when processing format strings. This is the primary function handling number formatting logic referenced in all vulnerability reports.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In num**rs.* in li*xslt *.*.**, *n xsl:num**r wit* **rt*in *orm*t strin*s *oul* l*** to * uniniti*liz** r*** in xsltNum**r*orm*tIns*rtNum**rs. T*is *oul* *llow *n *tt**k*r to *is**rn w**t**r * *yt* on t** st**k *ont*ins t** ***r**t*rs *, *, I, i, or

Reasoning

T** *V* **s*ription *n* `li*xslt` *ommit ******* *xpli*itly mo*i*y `xsltNum**r*orm*tIns*rtNum**rs` to *** NULL ****ks, in*i**tin* t*is `*un*tion` *ont*in** *n uniniti*liz** r*** vuln*r**ility w**n pro**ssin* *orm*t strin*s. T*is is t** prim*ry `*un*t

5.3

Basic Information

Concerned about an active attack path?

CVE-2019-13117: Uninitialized read in Nokogiri gem

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI