What is CVE-2022-29181?

CVE-2022-29181 is a vulnerability in the Nokogiri library prior to version 1.13.6 that allows specially crafted inputs to cause illegal memory access errors or reads from unrelated memory.

What is the severity of CVE-2022-29181?

The severity of CVE-2022-29181 is high, with a severity score of 8.2.

Which software versions are affected by CVE-2022-29181?

The affected software versions are Nokogiri prior to version 1.13.6 and Apple macOS Ventura up to version 13.1.

How can I mitigate the risk of CVE-2022-29181?

To mitigate the risk of CVE-2022-29181, update Nokogiri to version 1.13.6 and Apple macOS Ventura to version 13.1.

Where can I find more information about CVE-2022-29181?

More information about CVE-2022-29181 can be found at the following references: [Apple Support](https://support.apple.com/en-us/HT213532), [GitHub Security Advisory](https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xh29-r2w5-wx8m), [NVD](https://nvd.nist.gov/vuln/detail/CVE-2022-29181).

Vulnerability/
CVE-2022-29181

high

8.2

CWE

241 843

20/5/2022

23/5/2022

4/5/2023

CVE-2022-29181

First published: Fri May 20 2022(Updated: )

### Summary Nokogiri `< v1.13.6` does not type-check all inputs into the XML and HTML4 SAX parsers. For CRuby users, this may allow specially crafted untrusted inputs to cause illegal memory access errors (segfault) or reads from unrelated memory. ### Severity The Nokogiri maintainers have evaluated this as **High 8.2** (CVSS3.1). ### Mitigation CRuby users should upgrade to Nokogiri `>= 1.13.6`. JRuby users are not affected. ### Workarounds To avoid this vulnerability in affected applications, ensure the untrusted input is a `String` by calling `#to_s` or equivalent. ### Credit This vulnerability was responsibly reported by @agustingianni and the Github Security Lab.

Credit: security-advisories@github.com security-advisories@github.com

Affected Software	Affected Version	How to fix
Nokogiri Nokogiri	<1.13.6
Apple macOS	>=13.0<13.1
rubygems/nokogiri	<1.13.6	1.13.6

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

HT213532

Frequently Asked Questions

What is CVE-2022-29181?
CVE-2022-29181 is a vulnerability in the Nokogiri library prior to version 1.13.6 that allows specially crafted inputs to cause illegal memory access errors or reads from unrelated memory.
What is the severity of CVE-2022-29181?
The severity of CVE-2022-29181 is high, with a severity score of 8.2.
Which software versions are affected by CVE-2022-29181?
The affected software versions are Nokogiri prior to version 1.13.6 and Apple macOS Ventura up to version 13.1.
How can I mitigate the risk of CVE-2022-29181?
To mitigate the risk of CVE-2022-29181, update Nokogiri to version 1.13.6 and Apple macOS Ventura to version 13.1.
Where can I find more information about CVE-2022-29181?
More information about CVE-2022-29181 can be found at the following references: [Apple Support](https://support.apple.com/en-us/HT213532), [GitHub Security Advisory](https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xh29-r2w5-wx8m), [NVD](https://nvd.nist.gov/vuln/detail/CVE-2022-29181).

agent/author
agent/description
agent/event
agent/first-publish-date
agent/last-modified-date
agent/references
agent/remedy
agent/severity
agent/softwarecombine
agent/tags
agent/type
agent/weakness
collector/apple-support
source/Apple
alias/CVE-2022-29181
agent/software-canonical-lookup
collector/github-advisory
alias/GHSA-xh29-r2w5-wx8m
collector/github-advisory-latest
collector/nvd-cve
collector/nvd-index
vendor/apple
canonical/apple macos ventura
package-manager/rubygems
vendor/nokogiri
canonical/nokogiri nokogiri
canonical/apple macos
version/apple macos/13.0