Описание
Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default. Users of Nokogiri on JRuby who parse untrusted documents using any of these classes are affected: Nokogiri::XML::SAX::Parse, Nokogiri::HTML4::SAX::Parser or its alias Nokogiri::HTML::SAX::Parser, Nokogiri::XML::SAX::PushParser, and Nokogiri::HTML4::SAX::PushParser or its alias Nokogiri::HTML::SAX::PushParser. JRuby users should upgrade to Nokogiri v1.12.5 or later to receive a patch for this issue. There are no workarounds available for v1.12.4 or earlier. CRuby users are not affected.
A XML External Entity Reference (XXE) vulnerability was found in RubyGem Nokogiri on JRuby (Java implementation of the Ruby). If attacker is able to insert untrusted XML input containing a reference to an external entity, it is processed by a weakly configured SAX parser, resulting disclosure of confidential data and server side request forgery. The highest threat from this vulnerability is to system confidentiality.
Отчет
Following Red Hat Products make use of CRuby (C implementation of the Ruby programming language) and are not affected by the vulnerability:
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat CloudForms
- Red Hat Satellite
- Red Hat Enterprise Linux
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| CloudForms Management Engine 5 | rubygem-nokogiri | Not affected | ||
| Red Hat 3scale API Management Platform 2 | nokogiri | Will not fix | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | 3scale_amp | Not affected | ||
| Red Hat Satellite 6 | tfm-ror52-rubygem-nokogiri | Not affected | ||
| Red Hat Satellite 6 | tfm-rubygem-nokogiri | Not affected |
Показывать по
Дополнительная информация
Статус:
7.5 High
CVSS3
Связанные уязвимости
Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default. Users of Nokogiri on JRuby who parse untrusted documents using any of these classes are affected: Nokogiri::XML::SAX::Parse, Nokogiri::HTML4::SAX::Parser or its alias Nokogiri::HTML::SAX::Parser, Nokogiri::XML::SAX::PushParser, and Nokogiri::HTML4::SAX::PushParser or its alias Nokogiri::HTML::SAX::PushParser. JRuby users should upgrade to Nokogiri v1.12.5 or later to receive a patch for this issue. There are no workarounds available for v1.12.4 or earlier. CRuby users are not affected.
Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default. Users of Nokogiri on JRuby who parse untrusted documents using any of these classes are affected: Nokogiri::XML::SAX::Parse, Nokogiri::HTML4::SAX::Parser or its alias Nokogiri::HTML::SAX::Parser, Nokogiri::XML::SAX::PushParser, and Nokogiri::HTML4::SAX::PushParser or its alias Nokogiri::HTML::SAX::PushParser. JRuby users should upgrade to Nokogiri v1.12.5 or later to receive a patch for this issue. There are no workarounds available for v1.12.4 or earlier. CRuby users are not affected.
Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers wit ...
Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby
7.5 High
CVSS3