CVE-2021-41098XML External Entity (XXE) Injection in Nokogiri

CWE-611XML External Entity (XXE) Injection5 documents5 sources
Severity
7.5HIGHNVD
EPSS
0.6%
top 31.56%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Sparklemotion NokogiriNokogiriDebian Ruby-nokogiri
Timeline
PublishedSep 27

Description

Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default. Users of Nokogiri on JRuby who parse untrusted documents using any of these classes are affected: Nokogiri::XML::SAX::Parse, Nokogiri::HTML4::SAX::Parser or its alias Nokogiri::HTML::SAX::Parser, Nokogiri::XML::SAX::PushParser, and Nokogiri::HTML4::SAX::PushParser or its alias Nokogiri::HTML::

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

NVDnokogiri/nokogiri< 1.12.5
RubyGemsnokogiri/nokogiri< 1.12.5
CVEListV5sparklemotion/nokogiri< 1.12.5

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

2
OSV
Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby2021-09-27
GHSA
Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby2021-09-27

📋Vendor Advisories

2
Red Hat
rubygem-nokogiri: XEE on JRuby2021-09-26
Debian
CVE-2021-41098: ruby-nokogiri - Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath an...2021