9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-5477

GHSA ID

GHSA-cr5j-953j-xw5p

EPSS Score

0.77529%

CWE

CWE-78

Published

8/19/2019

Updated

8/28/2023

KEV Status

Technology

Ruby

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-5477

CVE-2019-5477: Nokogiri Command Injection Vulnerability

A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby's Kernel.open method. Processes are vulnerable only if the undocumented method Nokogiri::CSS::Tokenizer#load_file is being called with unsafe user input as the filename. This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-5477

GHSA ID

GHSA-cr5j-953j-xw5p

EPSS Score

0.77529%

CWE

CWE-78

Published

8/19/2019

Updated

8/28/2023

KEV Status

Technology

Ruby

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
nokogiri	rubygems	< 1.10.4	1.10.4
rexical	rubygems	< 1.0.7	1.0.7

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description explicitly identifies Nokogiri::CSS::Tokenizer#load_file as the entry point when processing untrusted filenames. The commit diff shows this method originally used Kernel.open(filename), which executes shell commands when given pipe operators. The patch changes this to File.open(filename), which is safe. The Rexical-generated code (tokenizer.rex) produced this vulnerable implementation, but the direct vulnerable function in Nokogiri is clearly identified in the Tokenizer class.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *omm*n* inj**tion vuln*r**ility in Noko*iri v*.**.* *n* **rli*r *llows *omm*n*s to ** *x**ut** in * su*pro**ss vi* Ru*y's `K*rn*l.op*n` m*t*o*. Pro**ss*s *r* vuln*r**l* only i* t** un*o*um*nt** m*t*o* `Noko*iri::*SS::Tok*niz*r#lo**_*il*` is **in* *

Reasoning

T** vuln*r**ility **s*ription *xpli*itly i**nti*i*s `Noko*iri::*SS::Tok*niz*r#lo**_*il*` *s t** *ntry point w**n pro**ssin* untrust** *il*n*m*s. T** *ommit *i** s*ows t*is m*t*o* ori*in*lly us** `K*rn*l.op*n(*il*n*m*)`, w*i** *x**ut*s s**ll *omm*n*s

9.8

Basic Information

Concerned about an active attack path?

CVE-2019-5477: Nokogiri Command Injection Vulnerability

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI