4.3

CVE-2020-26247

XXE in Nokogiri

Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible. This is fixed in Nokogiri version 1.11.0.rc4.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
NokogiriNokogiri SwPlatformruby Version < 1.11.0
NokogiriNokogiri Version1.11.0 Updaterc1 SwPlatformruby
NokogiriNokogiri Version1.11.0 Updaterc2 SwPlatformruby
NokogiriNokogiri Version1.11.0 Updaterc3 SwPlatformruby
DebianDebian Linux Version9.0
DebianDebian Linux Version10.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.11% 0.618
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 4.3 2.8 1.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
nvd@nist.gov 4 8 2.9
AV:N/AC:L/Au:S/C:P/I:N/A:N
security-advisories@github.com 2.6 1.2 1.4
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
CWE-611 Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html
Third Party Advisory
Mailing List
https://github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809cb2c3d97b
Patch
Third Party Advisory
https://github.com/sparklemotion/nokogiri/releases/tag/v1.11.0.rc4
Third Party Advisory
Release Notes
https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m
Third Party Advisory
Mitigation
https://hackerone.com/reports/747489
Permissions Required
https://lists.debian.org/debian-lts-announce/2021/06/msg00007.html
Third Party Advisory
Mailing List
https://rubygems.org/gems/nokogiri
Third Party Advisory
Product
https://security.gentoo.org/glsa/202208-29
Third Party Advisory