Lucene search

K
veracodeVeracode Vulnerability DatabaseVERACODE:3608
HistoryFeb 23, 2017 - 6:14 a.m.

XML External Entity (XXE) Via Libxml2

2017-02-2306:14:12
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
7

nokogiri is using libxml2 library which is vulnerable to the CVE-2016-9318. The vulnerability is only possible when applications using nokogiri 1.5.4 and later do not opt into the DTDLOAD option and opt out of the NONET option. The default setting in nokogiri does not use both DTD loading and network access, therefore it is not vulnerable by default.