-
-
Notifications
You must be signed in to change notification settings - Fork 219
/
CVE-2021-41098.yml
32 lines (24 loc) · 1.2 KB
/
CVE-2021-41098.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
---
gem: nokogiri
platform: jruby
cve: 2021-41098
ghsa: 2rr5-8q37-2w7h
url: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-2rr5-8q37-2w7h
title: Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby
date: 2021-09-27
description: |
### Severity
The Nokogiri maintainers have evaluated this as [**High Severity** 7.5 (CVSS3.0)](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C/MAV:N/MAC:L) for JRuby users. (This security advisory does not apply to CRuby users.)
### Impact
In Nokogiri v1.12.4 and earlier, **on JRuby only**, the SAX parser resolves external entities by default.
Users of Nokogiri on JRuby who parse untrusted documents using any of these classes are affected:
- Nokogiri::XML::SAX::Parser
- Nokogiri::HTML4::SAX::Parser or its alias Nokogiri::HTML::SAX::Parser
- Nokogiri::XML::SAX::PushParser
- Nokogiri::HTML4::SAX::PushParser or its alias Nokogiri::HTML::SAX::PushParser
### Mitigation
JRuby users should upgrade to Nokogiri v1.12.5 or later. There are no workarounds available for v1.12.4 or earlier.
CRuby users are not affected.
cvss_v3: 7.5
patched_versions:
- ">= 1.12.5"