Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2020-26247

Опубликовано: 30 дек. 2020
Источник: nvd
CVSS3: 2.6
CVSS3: 4.3
CVSS2: 4
EPSS Низкий

Описание

Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible. This is fixed in Nokogiri version 1.11.0.rc4.

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:nokogiri:nokogiri:*:*:*:*:*:ruby:*:*
Версия до 1.11.0 (исключая)
cpe:2.3:a:nokogiri:nokogiri:1.11.0:rc1:*:*:*:ruby:*:*
cpe:2.3:a:nokogiri:nokogiri:1.11.0:rc2:*:*:*:ruby:*:*
cpe:2.3:a:nokogiri:nokogiri:1.11.0:rc3:*:*:*:ruby:*:*
Конфигурация 2

Одно из

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

EPSS

Процентиль: 71%
0.00678
Низкий

2.6 Low

CVSS3

4.3 Medium

CVSS3

4 Medium

CVSS2

Дефекты

CWE-611
CWE-611

Связанные уязвимости

ubuntu логотип

CVE-2020-26247

CVSS3: 2.6
ubuntu
около 5 лет назад

Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible. This is fixed in Nokogiri version 1.11.0.rc4.

redhat логотип

CVE-2020-26247

CVSS3: 4.3
redhat
около 5 лет назад

Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible. This is fixed in Nokogiri version 1.11.0.rc4.

debian логотип

CVE-2020-26247

CVSS3: 2.6
debian
около 5 лет назад

Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers wit ...

github логотип

GHSA-vr8q-g5c7-m54m

CVSS3: 4.3
github
около 5 лет назад

Nokogiri::XML::Schema trusts input by default, exposing risk of XXE vulnerability

fstec логотип

BDU:2021-01008

CVSS3: 4.3
fstec
около 5 лет назад

Уязвимость программной библиотеки Nokogiri, связанная с неверным ограничением XML-ссылок на внешние объекты, позволяющая нарушителю провести SSRF-атаку или XXE-атаку

EPSS

Процентиль: 71%
0.00678
Низкий

2.6 Low

CVSS3

4.3 Medium

CVSS3

4 Medium

CVSS2

Дефекты

CWE-611
CWE-611