CVE-2015-5312 – nokogiri

Package

Manager: gem
Name: nokogiri
Vulnerable Version: >=1.6.0 <1.6.7.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:U/RC:R

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.01993 pctl0.82915

Details

Nokogiri subject to DoS via libxml2 vulnerability The xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.3 (as used in nokogiri before 1.6.7.1) does not properly prevent entity expansion, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted XML data, a different vulnerability than CVE-2014-3660.

Metadata

Created: 2018-08-21T19:03:04Z
Modified: 2023-03-13T23:53:36Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/08/GHSA-xjqg-9jvg-fgx2/GHSA-xjqg-9jvg-fgx2.json
CWE IDs: ["CWE-400"]
Alternative ID: GHSA-xjqg-9jvg-fgx2
Finding: F002
Auto approve: 1