What is CVE-2022-23476?

CVE-2022-23476 is a high-severity vulnerability in Sparklemotion Nokogiri, classified under CWE-252. CVSS score: 7.5/10. Published 2022-12-08.

How severe is CVE-2022-23476?

High severity. CVSS v3 base score is 7.5 out of 10.

Is CVE-2022-23476 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

NULL pointer dereference in Sparklemotion Nokogiri

CVE-2022-23476

Nokogiri is an open source XML and HTML library for the Ruby programming language. Nokogiri `1.13.8` and `1.13.9` fail to check the return value from `xmlTextReaderExpand` in the method `Nokogiri::XML::Reader#attribute_hash`. This can lead…

EPSS: 0.003 (50.8th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.

Affected products

Sparklemotion Nokogiri — versions >= 1.13.8, < 1.13.10

Weakness classification (CWE)

Public proof-of-concept exploits

ARPSyndicate/cvemon

References

https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-qv4q-mr5r-qprj (x_refsource_CONFIRM)
https://github.com/sparklemotion/nokogiri/commit/85410e38410f670cbbc8c5b00d07b843caee88ce (x_refsource_MISC)
https://github.com/sparklemotion/nokogiri/commit/9fe0761c47c0d4270d1a5220cfd25de080350d50 (x_refsource_MISC)

Frequently asked questions

What is CVE-2022-23476?: CVE-2022-23476 is a high-severity vulnerability in Sparklemotion Nokogiri, classified under CWE-252. CVSS score: 7.5/10. Published 2022-12-08.
How severe is CVE-2022-23476?: High severity. CVSS v3 base score is 7.5 out of 10.
Is CVE-2022-23476 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.