Is CVE-2019-5477 actively exploited?

CVE-2019-5477 has no public evidence of in-the-wild exploitation as of 2024-11-21.

What is the CVSS score for CVE-2019-5477?

CVE-2019-5477 has a CVSS score of 9.8 (CRITICAL severity). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

How do I patch CVE-2019-5477?

Patch guidance is available from nokogiri security advisories. CVEDatabase generates AI-assisted remediation guidance on demand for CVE-2019-5477.

Fix CVE-2019-5477 - CRITICAL nokogiri nokogiri

Q: Which products are affected by CVE-2019-5477?

7 products: nokogiri nokogiri, canonical ubuntu linux, canonical ubuntu linux, canonical ubuntu linux, canonical ubuntu linux, and 2 more.

Description

A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby's `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being called with unsafe user input as the filename. This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.

CVSS Metrics

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector: network
Complexity: low
Privileges: none
User Action: none
Scope: unchanged
Confidentiality: high
Integrity: high
Availability: high
Weaknesses: CWE-78 · OS Command Injection CWE-78 · OS Command Injection

Metadata

Primary Vendor: NOKOGIRI
Published: 8/16/2019
Last Modified: 11/21/2024
Source: NIST NVD
Note: Verify all details with official vendor sources before applying patches.

Affected Products

nokogiri : nokogiricanonical : ubuntu_linuxcanonical : ubuntu_linuxcanonical : ubuntu_linuxcanonical : ubuntu_linuxdebian : debian_linuxdebian : debian_linux

Remediation Guidance

Executive Summary

View on NIST NVD