RubySecRUBY:NOKOGIRI-2018-8048Revert libxml2 behavior in Nokogiri gem that could cause XSS
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.002 Low
EPSS
Percentile
59.1%
[MRI] Behavior in libxml2 has been reverted which caused
CVE-2018-8048 (loofah gem), CVE-2018-3740 (sanitize gem), and
CVE-2018-3741 (rails-html-sanitizer gem). The commit in question is
here:
https://github.com/GNOME/libxml2/commit/960f0e2
and more information is available about this commit and its impact
here:
https://github.com/flavorjones/loofah/issues/144
This release simply reverts the libxml2 commit in question to protect
users of Nokogiri’s vendored libraries from similar vulnerabilities.
If you’re offended by what happened here, I’d kindly ask that you
comment on the upstream bug report here:
Related
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.002 Low
EPSS
Percentile
59.1%