Skip to content

Nokogiri subject to DoS via libxml2 vulnerability

High severity GitHub Reviewed Published Aug 21, 2018 to the GitHub Advisory Database • Updated Aug 25, 2023

Package

bundler nokogiri (RubyGems)

Affected versions

>= 1.6.0, <= 1.6.7.0

Patched versions

1.6.7.1

Description

The xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.3 (as used in nokogiri before 1.6.7.1) does not properly prevent entity expansion, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted XML data, a different vulnerability than CVE-2014-3660.

References

Published to the GitHub Advisory Database Aug 21, 2018
Reviewed Jun 16, 2020
Last updated Aug 25, 2023

Severity

High

EPSS score

0.704%
(80th percentile)

Weaknesses

CVE ID

CVE-2015-5312

GHSA ID

GHSA-xjqg-9jvg-fgx2

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.