CVE-2020-26247

Source

https://nvd.nist.gov/vuln/detail/CVE-2020-26247

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-26247.json

Aliases

GHSA-vr8q-g5c7-m54m

Related

Published

2020-12-30T19:15:12Z

Modified

2023-11-29T08:18:57.660173Z

Details

Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible. This is fixed in Nokogiri version 1.11.0.rc4.

References

Affected packages

Git / github.com/sparklemotion/nokogiri

Affected ranges

Type: GIT
Repo: https://github.com/sparklemotion/nokogiri
Events: Introduced

0The exact introduced commit is unknown

Fixed

9c87439d9afa14a365ff13e73adc809cb2c3d97b

Affected versions

1.*

1.7.0.1-linux-binary1

REL_1.*

REL_1.0.0

REL_1.0.1

REL_1.0.2

REL_1.0.3

REL_1.0.4

REL_1.0.5

REL_1.0.6

REL_1.0.7

REL_1.1.0

REL_1.1.1

REL_1.2.0

REL_1.2.1

REL_1.2.2

REL_1.2.3

REL_1.3.0

REL_1.3.0rc1

REL_1.3.1

REL_1.3.2

REL_1.3.3

REL_1.4.0

REL_1.4.1

REL_1.4.2

REL_1.4.3

REL_1.4.3.1

REL_1.5.0.beta.1

REL_1.5.0.beta.2

v1.*

v1.10.0

v1.10.0.rc1

v1.10.1

v1.10.2

v1.10.3

v1.11.0.rc1

v1.11.0.rc2

v1.11.0.rc3

v1.4.4

v1.4.4.1

v1.4.4.2

v1.5.0

v1.5.0.beta.3

v1.5.0.beta.4

v1.5.1

v1.5.1.rc1

v1.5.2

v1.5.3

v1.5.3.rc1

v1.5.3.rc3

v1.5.3.rc4

v1.5.3.rc5

v1.5.3.rc6

v1.5.4

v1.5.4.rc1

v1.5.4.rc2

v1.5.4.rc3

v1.5.5

v1.5.5.rc1

v1.5.5.rc2

v1.5.5.rc3

v1.5.6

v1.5.6.rc1

v1.5.6.rc2

v1.5.7

v1.5.7.rc1

v1.5.7.rc2

v1.5.7.rc3

v1.5.8

v1.5.9

v1.6.0

v1.6.0.rc1

v1.6.2

v1.6.2.1

v1.6.2.beta.1

v1.6.2.rc1

v1.6.2.rc2

v1.6.2.rc3

v1.6.3

v1.6.3.1

v1.6.3.rc1

v1.6.3.rc2

v1.6.3.rc3

v1.6.4

v1.6.5

v1.6.6

v1.6.6.1

v1.6.6.2

v1.6.7.rc1

v1.6.7.rc2

v1.6.7.rc3

v1.6.7.rc4

v1.6.8

v1.6.8.rc1

v1.6.8.rc2

v1.6.8.rc3

v1.7.0

v1.7.0.1

v1.8.0

v1.8.1

v1.8.2

v1.8.3

v1.8.4

v1.8.5

v1.9.0

v1.9.0.rc1

v1.9.1