logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2021-41098 nokogiri

Package

Manager: gem
Name: nokogiri
Vulnerable Version: >=0 <1.12.5

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00737 pctl0.71967

Details

Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby ### Severity The Nokogiri maintainers have evaluated this as [**High Severity** 7.5 (CVSS3.0)](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C/MAV:N/MAC:L) for JRuby users. (This security advisory does not apply to CRuby users.) ### Impact In Nokogiri v1.12.4 and earlier, **on JRuby only**, the SAX parser resolves external entities by default. Users of Nokogiri on JRuby who parse untrusted documents using any of these classes are affected: - Nokogiri::XML::SAX::Parser - Nokogiri::HTML4::SAX::Parser or its alias Nokogiri::HTML::SAX::Parser - Nokogiri::XML::SAX::PushParser - Nokogiri::HTML4::SAX::PushParser or its alias Nokogiri::HTML::SAX::PushParser ### Mitigation JRuby users should upgrade to Nokogiri v1.12.5 or later. There are no workarounds available for v1.12.4 or earlier. CRuby users are not affected.

Metadata

Created: 2021-09-27T20:12:47Z
Modified: 2021-09-28T18:46:02Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-2rr5-8q37-2w7h/GHSA-2rr5-8q37-2w7h.json
CWE IDs: ["CWE-611"]
Alternative ID: GHSA-2rr5-8q37-2w7h
Finding: F083
Auto approve: 1