Miggo Logo

CVE-2021-3517: Nokogiri contains libxml Out-of-bounds Write vulnerability

8.6

CVSS Score
3.1

Basic Information

EPSS Score
0.22175%
Published
5/24/2022
Updated
8/28/2023
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
nokogirirubygems< 1.11.41.11.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability CVE-2021-3517 is an out-of-bounds write within the libxml2 library, which Nokogiri uses for XML processing. The description explicitly states the flaw is in 'the xml entity encoding functionality of libxml2'.

  1. Vulnerability Location: The Red Hat Bugzilla entry for CVE-2021-3517 (ID 1954232) clearly identifies the vulnerable function as xmlEncodeEntitiesInternal() in entities.c within libxml2.
  2. Libxml2 Patch: The fix for this vulnerability in libxml2 is detailed in the GitLab commit 8598060bacada41a0eb09d95c97744ff4e428f8e. The commit message is "entities: Fix heap buffer overflow in xmlEncodeEntitiesInternal", and it modifies the file entities.c, specifically the function xmlEncodeEntitiesInternal.
  3. Nokogiri's Relation: Nokogiri itself is not where the code flaw resides but is affected because it bundles or depends on a vulnerable version of libxml2. Nokogiri version 1.11.4 updated its bundled libxml2 to version 2.9.11 (or later, 2.9.12 as per issue #2233) to mitigate this and other vulnerabilities. This is confirmed by Nokogiri's issue tracker (e.g., #2233) and changelogs.
  4. Runtime Profile: When an application using a vulnerable version of Nokogiri processes a malicious XML file designed to exploit CVE-2021-3517, Nokogiri's Ruby methods would call into the underlying libxml2 C library. The xmlEncodeEntitiesInternal function within libxml2 would be part of the execution path and, being the site of the buffer overflow, would appear in a runtime profile or stack trace during exploitation.

Although the get_commit_infos tool could not fetch the diff for the GitLab URL, the CVE description, Bugzilla information, and the libxml2 commit message and affected file path provide sufficient evidence to pinpoint xmlEncodeEntitiesInternal as the vulnerable function that would be active during exploitation through Nokogiri.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T**r* is * *l*w in t** xml *ntity *n*o*in* *un*tion*lity o* li*xml* in v*rsions ***or* *.*.**. *n *tt**k*r w*o is **l* to supply * *r**t** *il* to ** pro**ss** *y *n *ppli**tion link** wit* t** *****t** *un*tion*lity o* li*xml* *oul* tri***r *n out-o

Reasoning

T** vuln*r**ility *V*-****-**** is *n out-o*-*oun*s writ* wit*in t** li*xml* li*r*ry, w*i** Noko*iri us*s *or XML pro**ssin*. T** **s*ription *xpli*itly st*t*s t** *l*w is in 't** xml *ntity *n*o*in* *un*tion*lity o* li*xml*'. *. **Vuln*r**ility L