Description

Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default. Users of Nokogiri on JRuby who parse untrusted documents using any of these classes are affected: Nokogiri::XML::SAX::Parse, Nokogiri::HTML4::SAX::Parser or its alias Nokogiri::HTML::SAX::Parser, Nokogiri::XML::SAX::PushParser, and Nokogiri::HTML4::SAX::PushParser or its alias Nokogiri::HTML::SAX::PushParser. JRuby users should upgrade to Nokogiri v1.12.5 or later to receive a patch for this issue. There are no workarounds available for v1.12.4 or earlier. CRuby users are not affected.

Related CPE's

a

nokogiri

nokogiri

*

*

*

*

*

ruby

Vulnerable

References

https://github.com/sparklemotion/nokogiri/commit/5bf729ff3cc84709ee3c3248c981584088bf9f6d

PatchThird Party Advisory

https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-2rr5-8q37-2w7h

Third Party Advisory

Weaknesses

[email protected]

Primary
CWE-611

CVSS impact metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

7.5 · High

  • CVSS V3.1

  • CVSS V3.0

  • CVSS V2.0

Information

Source identifier

[email protected]

Vulnerability status

Analyzed

Published

2021-09-27T20:15:07.397

3 years ago

Last modified

2021-10-06T20:17:08.587

3 years ago