Information Exposure Affecting nokogiri package, versions < 1.5.4


0.0
medium

Snyk CVSS

    Attack Complexity Low

    Threat Intelligence

    EPSS 0.18% (55th percentile)
Expand this section
NVD
7.5 high
Expand this section
Red Hat
5.3 medium

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-RUBY-NOKOGIRI-20032
  • published 7 Jun 2012
  • disclosed 7 Jun 2012
  • credit Felix Gröbert

Overview

nokogiri is an HTML, XML, SAX, and Reader parser, with the ability to search documents via XPath or CSS3 selectors. Affected versions of this Gem are vulnerable to Sensitive Information Exposure.

Details

libxml2 contains a flaw that may lead to unauthorized disclosure of potentially sensitive information. The issue is triggered when handling the expansion of XML external entities (XXE), you can specify URLs (e.g. HTTP) to be contacted when attacker-supplied XML is parsed. This can be used to trigger URL's on an internal network of a XML parsing service and allow a remote attacker to gain access to their responses.