Miggo Logo
Miggo Vulnerability Database
CVE-2021-30560

CVE-2021-30560: Nokogiri has vulnerable dependencies on libxml2 and libxslt

8.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-30560
GHSA ID
GHSA-59gp-qqm7-cw4j
EPSS Score
0.27019%
CWE
CWE-416
Published
5/24/2022
Updated
11/1/2023
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
nokogirirubygems< 1.13.21.13.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability CVE-2021-30560 is a use-after-free in the libxslt C library, which Nokogiri uses. The provided commit information shows that Nokogiri addressed this by updating its vendored version of libxslt. There are no code changes in Nokogiri's Ruby source files that indicate a specific vulnerable Ruby function. The vulnerability is in the underlying C library, not in Nokogiri's Ruby code. Therefore, no specific Ruby functions can be identified as 'vulnerable' from the patch; rather, any function in Nokogiri that uses libxslt for XSLT transformations could potentially trigger the vulnerability if processing a malicious XSLT file with a vulnerable version of libxslt.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Us* **t*r *r** in *link XSLT in *oo*l* **rom* prior to **.*.****.*** *llow** * r*mot* *tt**k*r to pot*nti*lly *xploit ***p *orruption vi* * *r**t** *TML p***.

Reasoning

T** vuln*r**ility *V*-****-***** is * us*-**t*r-*r** in t** `li*xslt` * li*r*ry, w*i** `Noko*iri` us*s. T** provi*** *ommit in*orm*tion s*ows t**t `Noko*iri` ***r*ss** t*is *y up**tin* its v*n*or** v*rsion o* `li*xslt`. T**r* *r* no *o** ***n**s in `