GHSA-xjqg-9jvg-fgx2

Source

https://github.com/advisories/GHSA-xjqg-9jvg-fgx2

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/08/GHSA-xjqg-9jvg-fgx2/GHSA-xjqg-9jvg-fgx2.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-xjqg-9jvg-fgx2

Aliases

CVE-2015-5312

Published

2018-08-21T19:03:04Z

Modified

2024-11-29T05:42:11.715511Z

Summary

Nokogiri subject to DoS via libxml2 vulnerability

Details

The xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.3 (as used in nokogiri before 1.6.7.1) does not properly prevent entity expansion, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted XML data, a different vulnerability than CVE-2014-3660.

Database specific

{
    "cwe_ids": [
        "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T22:03:39Z",
    "severity": "HIGH",
    "nvd_published_at": null
}

References

Affected packages

RubyGems / nokogiri

Package

Name: nokogiri
Purl: pkg:gem/nokogiri

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.6.0

Fixed

1.6.7.1

Affected versions

1.*

1.6.0

1.6.1

1.6.2.rc1

1.6.2.rc2

1.6.2.rc3

1.6.2

1.6.2.1

1.6.3.rc1

1.6.3.rc2

1.6.3.rc3

1.6.3

1.6.3.1

1.6.4

1.6.4.1

1.6.5

1.6.6.1

1.6.6.2

1.6.6.3

1.6.6.4

1.6.7.rc2

1.6.7.rc3

1.6.7.rc4

1.6.7

Database specific

last_known_affected_version_range

"<= 1.6.7.0"