Lucene search

[email protected]CVE-2020-26247

HistoryDec 30, 2020 - 7:15 p.m.

CVE-2020-26247

2020-12-3019:15:12

CWE-611

[email protected]

web.nvd.nist.gov

196

nokogiri

rubygem

xxe vulnerability

xml

xpath

css selector

ssrf

security policy

4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

4.6 Medium

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

53.1%

JSON

Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible. This is fixed in Nokogiri version 1.11.0.rc4.

Affected configurations

Vulners

NVD

Node

sparklemotionnokogiriRange<1.11.0.rc4

CPENameOperatorVersion
nokogiri:nokogirinokogirilt1.11.0

CPE	Name	Operator	Version
nokogiri:nokogiri	nokogiri	lt	1.11.0

CNA Affected

[
  {
    "vendor": "sparklemotion",
    "product": "nokogiri",
    "versions": [
      {
        "version": "< 1.11.0.rc4",
        "status": "affected"
      }
    ]
  }
]