GHSA-fq42-c5rg-92c2: 
Ruby vulnerability analysis and mitigation

Nokogiri v1.13.2 addresses security vulnerabilities in two of its packaged dependencies: libxml2 (upgraded from v2.9.12 to v2.9.13) and libxslt (upgraded from v1.1.34 to v1.1.35). The vulnerability affects the CRuby implementation of Nokogiri versions below 1.13.2, specifically when using packaged libraries. This security update addresses two significant CVEs: CVE-2021-30560 in libxslt (CVSS 8.8, High severity) and CVE-2022-23308 in libxml2 (Unspecified severity). The vulnerability was published on February 21, 2022, and last updated on January 11, 2023 (GitHub Advisory).

The vulnerability encompasses two distinct issues in dependent libraries. The libxslt vulnerability (CVE-2021-30560) affects all versions prior to v1.1.35 and is rated with a CVSS3 score of 8.8 (High). The libxml2 vulnerability (CVE-2022-23308) involves parsing untrusted documents with specific parse options: DTDVALID set to true and NOENT set to false. While NOENT is disabled by default for most parsing operations, it is enabled by default for XSLT stylesheet parsing in Nokogiri v1.12.0 and later. The DTDVALID option is not set by default for any operations in Nokogiri (GitHub Advisory).

The vulnerabilities can lead to multiple security implications. For libxslt (CVE-2021-30560), applications using untrusted XSL stylesheets to transform XML are vulnerable to denial-of-service attacks. For libxml2 (CVE-2022-23308), applications may be vulnerable to denial of service, memory disclosure, or code execution when parsing untrusted documents with specific parse options. The impact is particularly significant for applications explicitly setting the DTDVALID parse option when handling untrusted documents (GitHub Advisory).

The primary mitigation is to upgrade to Nokogiri version 1.13.2 or higher. For users unable to upgrade, an alternative mitigation involves compiling and linking an older version of Nokogiri against external libraries libxml2 >= 2.9.13 and libxslt >= 1.1.35. Users who have overridden defaults at installation time to use system libraries should monitor their distribution's libxml2 and libxslt release announcements for security updates (GitHub Advisory).