Ubuntu.comUB:CVE-2021-41098CVE-2021-41098
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
46.4%
Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with
XPath and CSS selector support. In Nokogiri v1.12.4 and earlier, on JRuby
only, the SAX parser resolves external entities by default. Users of
Nokogiri on JRuby who parse untrusted documents using any of these classes
are affected: Nokogiri::XML::SAX::Parse, Nokogiri::HTML4::SAX::Parser or
its alias Nokogiri::HTML::SAX::Parser, Nokogiri::XML::SAX::PushParser, and
Nokogiri::HTML4::SAX::PushParser or its alias
Nokogiri::HTML::SAX::PushParser. JRuby users should upgrade to Nokogiri
v1.12.5 or later to receive a patch for this issue. There are no
workarounds available for v1.12.4 or earlier. CRuby users are not affected.
References
github.com/sparklemotion/nokogiri/commit/5bf729ff3cc84709ee3c3248c981584088bf9f6d
github.com/sparklemotion/nokogiri/security/advisories/GHSA-2rr5-8q37-2w7h
launchpad.net/bugs/cve/CVE-2021-41098
nvd.nist.gov/vuln/detail/CVE-2021-41098
security-tracker.debian.org/tracker/CVE-2021-41098
www.cve.org/CVERecord?id=CVE-2021-41098
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
46.4%