Fluid Attacks Database

Description

Nokogiri subject to DoS via libxml2 vulnerability The xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.3 (as used in nokogiri before 1.6.7.1) does not properly prevent entity expansion, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted XML data, a different vulnerability than CVE-2014-3660.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
rubygems	nokogiri	>=1.6.0 <1.6.7.1	1.6.7.1
debian 13	libxml2	>=0 <2.9.3+dfsg1-1	2.9.3+dfsg1-1
debian 12	libxml2	>=0 <2.9.3+dfsg1-1	2.9.3+dfsg1-1
debian 14	libxml2	>=0 <2.9.3+dfsg1-1	2.9.3+dfsg1-1
debian 11	libxml2	>=0 <2.9.3+dfsg1-1	2.9.3+dfsg1-1
nuget	libxml2	>=0 <=2.9.2	-
rpm rhel7	libxml2	<0:2.9.1-6.el7_2.2	0:2.9.1-6.el7_2.2
rpm rhel6	libxml2	<0:2.7.6-20.el6_7.1	0:2.7.6-20.el6_7.1
rpm rhel5	libxml2	-	-

Aliases

1. CVE-2015-53122. NVD-2015-53123. OSV-2015-53124. OSV-DEBIAN-2015-53125. GCVE-2015-53126. security.gentoo.org7. SECURITY-TRACKER-CVE-2015-5312

References

1. https://bugzilla.redhat.com/show_bug.cgi?id=12766932. https://git.gnome.org/browse/libxml2/commit/?id=69030714cde66d525a8884bda01b9e8f0abf8e1e3. https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2015-5312.yml4. https://groups.google.com/forum/#!topic/ruby-security-ann/aSbgDiwb24s5. https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c049441726. https://support.apple.com/HT2061667. https://support.apple.com/HT2061678. https://support.apple.com/HT2061689. https://support.apple.com/HT20616910. http://lists.apple.com/archives/security-announce/2016/Mar/msg00000.html11. http://lists.opensuse.org/opensuse-updates/2015-12/msg00120.html12. http://lists.opensuse.org/opensuse-updates/2016-01/msg00031.html13. http://marc.info/?l=bugtraq&m=145382616617563&w=214. http://rhn.redhat.com/errata/RHSA-2015-2549.html15. http://rhn.redhat.com/errata/RHSA-2015-2550.html16. http://www.debian.org/security/2015/dsa-343017. http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html18. http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html19. http://www.ubuntu.com/usn/USN-2834-120. http://xmlsoft.org/news.html

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.