GHSA-xjqg-9jvg-fgx2

Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/08/GHSA-xjqg-9jvg-fgx2/GHSA-xjqg-9jvg-fgx2.json
Aliases
Published
2018-08-21T19:03:04Z
Modified
2022-08-15T08:28:05.719504Z
Details

The xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.3 (as used in nokogiri before 1.6.7.1) does not properly prevent entity expansion, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted XML data, a different vulnerability than CVE-2014-3660.

References

Affected packages

RubyGems / nokogiri

nokogiri

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.6.0
Fixed
1.6.7.1

Affected versions

1.*

1.6.0
1.6.1
1.6.2
1.6.2.1
1.6.2.rc1
1.6.2.rc2
1.6.2.rc3
1.6.3
1.6.3.1
1.6.3.rc1
1.6.3.rc2
1.6.3.rc3
1.6.4
1.6.4.1
1.6.5
1.6.6.1
1.6.6.2
1.6.6.3
1.6.6.4
1.6.7
1.6.7.rc2
1.6.7.rc3
1.6.7.rc4

Database specific

{
    "last_known_affected_version_range": "<= 1.6.7.0"
}