{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-14T23:14:39.203","vulnerabilities":[{"cve":{"id":"CVE-2019-5477","sourceIdentifier":"support@hackerone.com","published":"2019-08-16T16:15:10.637","lastModified":"2024-11-21T04:45:00.610","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby's `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being called with unsafe user input as the filename. This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4."},{"lang":"es","value":"Una vulnerabilidad de inyección de comandos en Nokogiri versión v1.10.3 y anteriores, permite que los comandos sean ejecutados en un subproceso por medio del método \"Kernel.open\" de Ruby. Los procesos son vulnerables solo si el método no documentado \"Nokogiri::CSS::Tokenizer#load_file\" está siendo llamado con una entrada de usuario no segura como el nombre de archivo. Esta vulnerabilidad aparece en un código generado por la gema Rexical versión v1.0.6 y anteriores. Nokogiri es usada por Rexical para generar código de escáner léxico para analizar consultas CSS. La vulnerabilidad subyacente fue abordada en Rexical versión v1.0.7 y Nokogiri actualizada a esta versión de Rexical en Nokogiri versión v1.10.4."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","baseScore":7.5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"HIGH","exploitabilityScore":10.0,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"support@hackerone.com","type":"Secondary","description":[{"lang":"en","value":"CWE-78"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-78"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:nokogiri:nokogiri:*:*:*:*:*:*:*:*","versionEndIncluding":"1.10.3","matchCriteriaId":"E018DCFD-3E4A-4D78-B63A-488052EF45E7"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*","matchCriteriaId":"F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B"},{"vulnerable":true,"criteria":"cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*","matchCriteriaId":"23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D"},{"vulnerable":true,"criteria":"cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*","matchCriteriaId":"CD783B0C-9246-47D9-A937-6144FE8BFF0F"},{"vulnerable":true,"criteria":"cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*","matchCriteriaId":"A31C8344-3E02-4EB8-8BD8-4C84B7959624"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*","matchCriteriaId":"C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43"},{"vulnerable":true,"criteria":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","matchCriteriaId":"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73"}]}]}],"references":[{"url":"https://github.com/sparklemotion/nokogiri/issues/1915","source":"support@hackerone.com","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/tenderlove/rexical/blob/master/CHANGELOG.rdoc","source":"support@hackerone.com","tags":["Release Notes"]},{"url":"https://hackerone.com/reports/650835","source":"support@hackerone.com","tags":["Permissions Required"]},{"url":"https://lists.debian.org/debian-lts-announce/2019/09/msg00027.html","source":"support@hackerone.com","tags":["Mailing List","Third Party Advisory"]},{"url":"https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html","source":"support@hackerone.com","tags":["Mailing List","Third Party Advisory"]},{"url":"https://lists.debian.org/debian-lts-announce/2022/10/msg00019.html","source":"support@hackerone.com","tags":["Mailing List","Third Party Advisory"]},{"url":"https://security.gentoo.org/glsa/202006-05","source":"support@hackerone.com","tags":["Third Party Advisory"]},{"url":"https://usn.ubuntu.com/4175-1/","source":"support@hackerone.com","tags":["Third Party Advisory"]},{"url":"https://github.com/sparklemotion/nokogiri/issues/1915","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/tenderlove/rexical/blob/master/CHANGELOG.rdoc","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Release Notes"]},{"url":"https://hackerone.com/reports/650835","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Permissions Required"]},{"url":"https://lists.debian.org/debian-lts-announce/2019/09/msg00027.html","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"]},{"url":"https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"]},{"url":"https://lists.debian.org/debian-lts-announce/2022/10/msg00019.html","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"]},{"url":"https://security.gentoo.org/glsa/202006-05","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]},{"url":"https://usn.ubuntu.com/4175-1/","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]}]}}]}