Ubuntu.comUB:CVE-2021-41098CVE-2021-41098
0.001 Low
EPSS
Percentile
46.7%
Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with
XPath and CSS selector support. In Nokogiri v1.12.4 and earlier, on JRuby
only, the SAX parser resolves external entities by default. Users of
Nokogiri on JRuby who parse untrusted documents using any of these classes
are affected: Nokogiri::XML::SAX::Parse, Nokogiri::HTML4::SAX::Parser or
its alias Nokogiri::HTML::SAX::Parser, Nokogiri::XML::SAX::PushParser, and
Nokogiri::HTML4::SAX::PushParser or its alias
Nokogiri::HTML::SAX::PushParser. JRuby users should upgrade to Nokogiri
v1.12.5 or later to receive a patch for this issue. There are no
workarounds available for v1.12.4 or earlier. CRuby users are not affected.
References
github.com/sparklemotion/nokogiri/commit/5bf729ff3cc84709ee3c3248c981584088bf9f6d
github.com/sparklemotion/nokogiri/security/advisories/GHSA-2rr5-8q37-2w7h
launchpad.net/bugs/cve/CVE-2021-41098
nvd.nist.gov/vuln/detail/CVE-2021-41098
security-tracker.debian.org/tracker/CVE-2021-41098
www.cve.org/CVERecord?id=CVE-2021-41098
Related
