CVE-2020-26247
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2020-26247
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-26247.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2020-26247
- Aliases
- Downstream
- Related
- Published
- 2020-12-30T19:15:12Z
- Modified
- 2025-10-21T05:49:35.094907Z
- Severity
-
- 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible. This is fixed in Nokogiri version 1.11.0.rc4.
- References
-
- https://github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809cb2c3d97b
- https://github.com/sparklemotion/nokogiri/releases/tag/v1.11.0.rc4
- https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m
- https://lists.debian.org/debian-lts-announce/2021/06/msg00007.html
- https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html
- https://rubygems.org/gems/nokogiri
- https://security.gentoo.org/glsa/202208-29
- https://hackerone.com/reports/747489
Affected packages
Git / github.com/sparklemotion/nokogiri
Affected ranges
- Type
- GIT
- Repo
- https://github.com/sparklemotion/nokogiri
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixed
Affected versions
1.*
1.7.0.1-linux-binary1
REL_1.*
REL_1.0.0
REL_1.0.1
REL_1.0.2
REL_1.0.3
REL_1.0.4
REL_1.0.5
REL_1.0.6
REL_1.0.7
REL_1.1.0
REL_1.1.1
REL_1.2.0
REL_1.2.1
REL_1.2.2
REL_1.2.3
REL_1.3.0
REL_1.3.0rc1
REL_1.3.1
REL_1.3.2
REL_1.3.3
REL_1.4.0
REL_1.4.1
REL_1.4.2
REL_1.4.3
REL_1.4.3.1
REL_1.5.0.beta.1
REL_1.5.0.beta.2
v1.*
v1.10.0
v1.10.0.rc1
v1.10.1
v1.10.2
v1.10.3
v1.11.0.rc1
v1.11.0.rc2
v1.11.0.rc3
v1.4.4
v1.4.4.1
v1.4.4.2
v1.5.0
v1.5.0.beta.3
v1.5.0.beta.4
v1.5.1
v1.5.1.rc1
v1.5.2
v1.5.3
v1.5.3.rc1
v1.5.3.rc3
v1.5.3.rc4
v1.5.3.rc5
v1.5.3.rc6
v1.5.4
v1.5.4.rc1
v1.5.4.rc2
v1.5.4.rc3
v1.5.5
v1.5.5.rc1
v1.5.5.rc2
v1.5.5.rc3
v1.5.6
v1.5.6.rc1
v1.5.6.rc2
v1.5.7
v1.5.7.rc1
v1.5.7.rc2
v1.5.7.rc3
v1.5.8
v1.5.9
v1.6.0
v1.6.0.rc1
v1.6.2
v1.6.2.1
v1.6.2.beta.1
v1.6.2.rc1
v1.6.2.rc2
v1.6.2.rc3
v1.6.3
v1.6.3.1
v1.6.3.rc1
v1.6.3.rc2
v1.6.3.rc3
v1.6.4
v1.6.5
v1.6.6
v1.6.6.1
v1.6.6.2
v1.6.7.rc1
v1.6.7.rc2
v1.6.7.rc3
v1.6.7.rc4
v1.6.8
v1.6.8.rc1
v1.6.8.rc2
v1.6.8.rc3
v1.7.0
v1.7.0.1
v1.8.0
v1.8.1
v1.8.2
v1.8.3
v1.8.4
v1.8.5
v1.9.0
v1.9.0.rc1
v1.9.1
Database specific
vanir_signatures
[
{
"id": "CVE-2020-26247-1086b743",
"source": "https://github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809cb2c3d97b",
"signature_version": "v1",
"digest": {
"line_hashes": [
"16129296325024307753584729971216115171",
"195253977861445400880545819685849286995",
"234641203445567770710194267598556873510",
"93454226303575813895728979775204002184",
"320623070487055999221258629894772676744",
"219862703534989535185923216080360078435",
"112080578547013292196838592699458036397",
"25210919650267855240289481430267046667",
"311574204152573001090045375559569945245",
"129718661893605621251598893703741626467",
"212510173097211613924033432339443995466",
"22243939135539515148190768719738278106",
"330253986602462041404647576948553452485",
"285842214180739133696563041886643213351",
"251656747183935732469118221853540056837",
"327715987815117534958186218152502493812",
"230615113216499342109539943877644549766",
"141419580842762453443895337928153792707",
"310741295053459094876716208902256531165",
"84315579863441221986993447331642079835",
"19656201694574745185137580246445889980",
"121698540467984208428625608629657429079",
"205510213628273060472187358186122845099",
"4572574395694206270477621884668240651",
"161237322459015512531557456285040964274",
"10877439329876273809149158542073357952",
"327875998995604504209160989012627692240",
"330253986602462041404647576948553452485",
"285842214180739133696563041886643213351",
"251656747183935732469118221853540056837",
"4397904576664470264547697413284932086",
"179077504760930219978786834013719739900",
"98123204464514570210478394303085182658",
"301682279023959772635377483388779805325",
"84142686720252447221210329669783966386"
],
"threshold": 0.9
},
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "ext/nokogiri/xml_relax_ng.c"
}
},
{
"id": "CVE-2020-26247-2914ce50",
"source": "https://github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809cb2c3d97b",
"signature_version": "v1",
"digest": {
"length": 369.0,
"function_hash": "219890053045773288413438907544483592904"
},
"deprecated": false,
"signature_type": "Function",
"target": {
"function": "getSchema",
"file": "ext/java/nokogiri/XmlSchema.java"
}
},
{
"id": "CVE-2020-26247-2a7b9317",
"source": "https://github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809cb2c3d97b",
"signature_version": "v1",
"digest": {
"line_hashes": [
"284109293209010179600288157504224704753",
"317534956635952457798072278053107250659",
"183140225820409356715355793987278274563",
"47332260591008491147365715575388541965",
"236964573616533475382333565210974418422",
"93496642269226571639003635625893026788",
"27038234486702696420691399556436137365",
"230655219684642834238569368740461148646",
"203681836539033221932035891023540784745",
"297503036295038120245384402482044110075",
"298576485561926522671672553121283502442"
],
"threshold": 0.9
},
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "ext/java/nokogiri/XmlRelaxng.java"
}
},
{
"id": "CVE-2020-26247-4952ba37",
"source": "https://github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809cb2c3d97b",
"signature_version": "v1",
"digest": {
"length": 720.0,
"function_hash": "9661515642441603369072603515252723382"
},
"deprecated": false,
"signature_type": "Function",
"target": {
"function": "read_memory",
"file": "ext/nokogiri/xml_schema.c"
}
},
{
"id": "CVE-2020-26247-a4f0f1ad",
"source": "https://github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809cb2c3d97b",
"signature_version": "v1",
"digest": {
"length": 906.0,
"function_hash": "39153933559615413504428734559142695356"
},
"deprecated": false,
"signature_type": "Function",
"target": {
"function": "from_document",
"file": "ext/nokogiri/xml_schema.c"
}
},
{
"id": "CVE-2020-26247-a7029d53",
"source": "https://github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809cb2c3d97b",
"signature_version": "v1",
"digest": {
"length": 736.0,
"function_hash": "333683911630746199756708849538491302527"
},
"deprecated": false,
"signature_type": "Function",
"target": {
"function": "from_document",
"file": "ext/nokogiri/xml_relax_ng.c"
}
},
{
"id": "CVE-2020-26247-aacd9cb6",
"source": "https://github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809cb2c3d97b",
"signature_version": "v1",
"digest": {
"line_hashes": [
"18368975417469464455862565725833633117",
"309767481340271058151290069613147460671",
"98745279010625720811482770789622897719",
"299162640867332122330361054992335114660",
"107905164198225427569024808058081181826",
"106662402031143017515461938960561067732",
"300434304369549138135673206475278804091",
"86427542845665156800975900431641495384",
"228149875155748926044860815901149901763",
"316611442836047098391368969960763510046",
"102311322235016132575625285576627684409",
"33543768097933111516812503182188757947",
"34466835567363195094654007736164913647",
"95578736202121547381226148454273687455",
"311264631618587098963782203185141521443",
"138592689909582525329315992232035465568",
"247267543660418154986770796049467716218",
"26978704467550789828283771393368008629",
"76908921169803025605259058453933354805",
"309680079967299686170303324588732199031",
"322280999268818191130779300657341305389",
"140940071266160965160149902758419816573",
"32519633659955138974605276992658685340",
"146626668676877096900399530126063968617",
"224095978744665830001040308389523812276",
"304707949602963848370757399268143938025",
"267143547219070203930725164196472070220",
"72778127015119500542079173824787824003",
"320121378405579455791777477251477905312",
"239649512450106049275777683895821171879",
"153922857170803326464756578414932747019"
],
"threshold": 0.9
},
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "ext/java/nokogiri/XmlSchema.java"
}
},
{
"id": "CVE-2020-26247-b7a35816",
"source": "https://github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809cb2c3d97b",
"signature_version": "v1",
"digest": {
"length": 721.0,
"function_hash": "117965742480207517228833462108399685431"
},
"deprecated": false,
"signature_type": "Function",
"target": {
"function": "read_memory",
"file": "ext/nokogiri/xml_relax_ng.c"
}
},
{
"id": "CVE-2020-26247-bd9c9e93",
"source": "https://github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809cb2c3d97b",
"signature_version": "v1",
"digest": {
"length": 649.0,
"function_hash": "223075275764046106416786741881055081456"
},
"deprecated": false,
"signature_type": "Function",
"target": {
"function": "createSchemaInstance",
"file": "ext/java/nokogiri/XmlSchema.java"
}
},
{
"id": "CVE-2020-26247-bf1a9ac9",
"source": "https://github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809cb2c3d97b",
"signature_version": "v1",
"digest": {
"length": 413.0,
"function_hash": "55369905720923703898960383428349986875"
},
"deprecated": false,
"signature_type": "Function",
"target": {
"function": "init_xml_schema",
"file": "ext/nokogiri/xml_schema.c"
}
},
{
"id": "CVE-2020-26247-d43b961b",
"source": "https://github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809cb2c3d97b",
"signature_version": "v1",
"digest": {
"length": 503.0,
"function_hash": "5786619012056855424931940457734128357"
},
"deprecated": false,
"signature_type": "Function",
"target": {
"function": "from_document",
"file": "ext/java/nokogiri/XmlSchema.java"
}
},
{
"id": "CVE-2020-26247-da6b2d19",
"source": "https://github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809cb2c3d97b",
"signature_version": "v1",
"digest": {
"length": 366.0,
"function_hash": "178420493317479619596962782960376001712"
},
"deprecated": false,
"signature_type": "Function",
"target": {
"function": "init_xml_relax_ng",
"file": "ext/nokogiri/xml_relax_ng.c"
}
},
{
"id": "CVE-2020-26247-dc31f83e",
"source": "https://github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809cb2c3d97b",
"signature_version": "v1",
"digest": {
"length": 198.0,
"function_hash": "70547010719699758318416237910510805399"
},
"deprecated": false,
"signature_type": "Function",
"target": {
"function": "read_memory",
"file": "ext/java/nokogiri/XmlSchema.java"
}
},
{
"id": "CVE-2020-26247-e2c7b7dd",
"source": "https://github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809cb2c3d97b",
"signature_version": "v1",
"digest": {
"line_hashes": [
"245036895791005918807540661154801744961",
"195253977861445400880545819685849286995",
"118691521782342627629919004264250277183",
"77836772905366762065593603267093444043",
"39684999300440156384979930077330717470",
"31433595251204166851639508193626122711",
"273424029110672348211045194946226707125",
"132995128983553400275729179270523361827",
"317403214207430172431851066618457880526",
"117833701499500858658336364681936419433",
"18577471886351549381254556569181691104",
"322851332635404903317113186642557374902",
"292013088696730575603747281532282359517",
"196732966080469569938486972139353088925",
"20582180580341939167055705876350667248",
"234165010474578995123160478493978904626",
"330253986602462041404647576948553452485",
"285842214180739133696563041886643213351",
"251656747183935732469118221853540056837",
"217621481900430820559730602175616889241",
"257190738122731512697296301533733939029",
"320026612391941053349667203696799852482",
"141419580842762453443895337928153792707",
"278535449158355236089308499027972708573",
"333035305826783399465818915243033941738",
"117697633259868205941634674907483038761",
"137042107976109139833035234253767044701",
"323200872687005788464717158440586828895",
"4572574395694206270477621884668240651",
"225481876307343704326901068217414566347",
"86635287901658810046397424354547918902",
"79281886800332977751996000076586877399",
"330253986602462041404647576948553452485",
"285842214180739133696563041886643213351",
"253333691218305700242059713895777393061",
"34277546824259342123382005994815457060",
"263240520538459396582460579562518667845",
"88747279844484007946530569957151229857",
"263228372222442742144199980814215902355",
"211316759360533367954227915687484315990",
"183556972803462742405142005098529480797"
],
"threshold": 0.9
},
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "ext/nokogiri/xml_schema.c"
}
},
{
"id": "CVE-2020-26247-e2d1577f",
"source": "https://github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809cb2c3d97b",
"signature_version": "v1",
"digest": {
"length": 489.0,
"function_hash": "245022092763465965443630047219394908629"
},
"deprecated": false,
"signature_type": "Function",
"target": {
"function": "createSchemaInstance",
"file": "ext/java/nokogiri/XmlRelaxng.java"
}
}
]