XML External Entity (XXE)

2020-12-3104:29:27

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

JSON

Nokogiri is vulnerable to XML external entity (XXE) attack. The vulnerability exist as the external DTDs are enabled by default in the XML parser, which would allow an attacker to submit requests on behalf of the server and gain access to internal and local resources.

CPENameOperatorVersion
nokogirile1.11.0.rc3
ruby-nokogiri:bullseyeeq1.10.9+dfsg-1+b1
ruby-nokogiri:sideq1.10.9+dfsg-1+b1
ruby-nokogiri:edgeeq1.10.9-r0
ruby-nokogiri:edgeeq1.10.9-r3
ruby-nokogiri:edgeeq1.10.10-r0
tfm-rubygem-nokogirieq1.10.9__1.el7sat
tfm-rubygem-nokogirieq1.6.6.2__2.el7sat

Name	Operator	Version
nokogiri	le	1.11.0.rc3
ruby-nokogiri:bullseye	eq	1.10.9+dfsg-1+b1
ruby-nokogiri:sid	eq	1.10.9+dfsg-1+b1
ruby-nokogiri:edge	eq	1.10.9-r0
ruby-nokogiri:edge	eq	1.10.9-r3
ruby-nokogiri:edge	eq	1.10.10-r0
tfm-rubygem-nokogiri	eq	1.10.9__1.el7sat
tfm-rubygem-nokogiri	eq	1.6.6.2__2.el7sat