GHSA-xjqg-9jvg-fgx2

Suggest an improvement
Source
https://github.com/advisories/GHSA-xjqg-9jvg-fgx2
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/08/GHSA-xjqg-9jvg-fgx2/GHSA-xjqg-9jvg-fgx2.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-xjqg-9jvg-fgx2
Aliases
Published
2018-08-21T19:03:04Z
Modified
2024-11-29T05:42:11.715511Z
Summary
Nokogiri subject to DoS via libxml2 vulnerability
Details

The xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.3 (as used in nokogiri before 1.6.7.1) does not properly prevent entity expansion, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted XML data, a different vulnerability than CVE-2014-3660.

Database specific 
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-400"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T22:03:39Z"
}
References

Affected packages

RubyGems / nokogiri

Package

Name
nokogiri
Purl
pkg:gem/nokogiri

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.6.0
Fixed
1.6.7.1

Affected versions

1.*

1.6.0
1.6.1
1.6.2.rc1
1.6.2.rc2
1.6.2.rc3
1.6.2
1.6.2.1
1.6.3.rc1
1.6.3.rc2
1.6.3.rc3
1.6.3
1.6.3.1
1.6.4
1.6.4.1
1.6.5
1.6.6.1
1.6.6.2
1.6.6.3
1.6.6.4
1.6.7.rc2
1.6.7.rc3
1.6.7.rc4
1.6.7

Database specific 

{
    "last_known_affected_version_range": "<= 1.6.7.0"
}