CVE-2020-26247

Published: Dec 30, 2020Modified: Nov 21, 2024

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Exploitability: 2.8 / Impact: 1.4

Source: NVD

Description

Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible. This is fixed in Nokogiri version 1.11.0.rc4.

Affected (6)

Products: Nokogiri: Nokogiri · Debian: Debian Linux

1 product

1 product

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Nokogiri Nokogiri	Before 1.11.0
Nokogiri Nokogiri	Version 1.11.0 rc1
Nokogiri Nokogiri	Version 1.11.0 rc2
Nokogiri Nokogiri	Version 1.11.0 rc3

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 10.0
Debian Debian Linux	Version 9.0

Related CWEs

Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

References (16)

https://github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809cb2c3d97b

Source: security-advisories@github.com

PatchThird Party Advisory

https://github.com/sparklemotion/nokogiri/releases/tag/v1.11.0.rc4

Source: security-advisories@github.com

Release NotesThird Party Advisory

https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m

Source: security-advisories@github.com

MitigationThird Party Advisory

https://hackerone.com/reports/747489

Source: security-advisories@github.com

Permissions Required

https://lists.debian.org/debian-lts-announce/2021/06/msg00007.html

Source: security-advisories@github.com

Mailing ListThird Party Advisory

https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html

Source: security-advisories@github.com

Mailing ListThird Party Advisory

https://rubygems.org/gems/nokogiri

Source: security-advisories@github.com

ProductThird Party Advisory

https://security.gentoo.org/glsa/202208-29

Source: security-advisories@github.com

Third Party Advisory

https://github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809cb2c3d97b

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/sparklemotion/nokogiri/releases/tag/v1.11.0.rc4

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesThird Party Advisory

https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m

Source: af854a3a-2127-422b-91ae-364da2661108

MitigationThird Party Advisory

https://hackerone.com/reports/747489

Source: af854a3a-2127-422b-91ae-364da2661108

Permissions Required

https://lists.debian.org/debian-lts-announce/2021/06/msg00007.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://rubygems.org/gems/nokogiri

Source: af854a3a-2127-422b-91ae-364da2661108

ProductThird Party Advisory

https://security.gentoo.org/glsa/202208-29

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.