CVE-2020-26247

EUVD-2020-1507
Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible. This is fixed in Nokogiri version 1.11.0.rc4.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
2.6 LOW
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
GitHub_MCNA
2.6 LOW
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 72%
Affected Products (NVD)
VendorProductVersion
nokogirinokogiri
𝑥
< 1.11.0
nokogirinokogiri
1.11.0:rc1
nokogirinokogiri
1.11.0:rc2
nokogirinokogiri
1.11.0:rc3
debiandebian_linux
9.0
debiandebian_linux
10.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
ruby-nokogiri
bookworm
1.13.10+dfsg-2
fixed
bullseye
1.11.1+dfsg-2
fixed
bullseye (security)
1.11.1+dfsg-2+deb11u1
fixed
sid
1.16.4+dfsg-1
fixed
trixie
1.16.4+dfsg-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
ruby-nokogiri
bionic
needs-triage
focal
needs-triage
groovy
ignored
hirsute
ignored
impish
ignored
jammy
needs-triage
kinetic
ignored
lunar
ignored
mantic
ignored
noble
needs-triage
trusty
needs-triage
xenial
needs-triage
Common Weakness Enumeration
References
https://github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809cb2c3d97b
https://github.com/sparklemotion/nokogiri/releases/tag/v1.11.0.rc4
https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m
https://hackerone.com/reports/747489
https://lists.debian.org/debian-lts-announce/2021/06/msg00007.html
https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html
https://rubygems.org/gems/nokogiri
https://security.gentoo.org/glsa/202208-29
https://github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809cb2c3d97b
https://github.com/sparklemotion/nokogiri/releases/tag/v1.11.0.rc4
https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m
https://hackerone.com/reports/747489
https://lists.debian.org/debian-lts-announce/2021/06/msg00007.html
https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html
https://rubygems.org/gems/nokogiri
https://security.gentoo.org/glsa/202208-29