Homepage
About Snyk

Information Exposure Affecting nokogiri package, versions < 1.5.4

Severity

 Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.18% (57th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-RUBY-NOKOGIRI-20032
  • published 7 Jun 2012
  • disclosed 7 Jun 2012
  • credit Felix Gröbert
Report a new vulnerability Found a mistake?

Introduced: 7 Jun 2012

CVE-2012-6685 Open this link in a new tab
CWE-200 Open this link in a new tab

Overview

nokogiri is an HTML, XML, SAX, and Reader parser, with the ability to search documents via XPath or CSS3 selectors. Affected versions of this Gem are vulnerable to Sensitive Information Exposure.

Details

libxml2 contains a flaw that may lead to unauthorized disclosure of potentially sensitive information. The issue is triggered when handling the expansion of XML external entities (XXE), you can specify URLs (e.g. HTTP) to be contacted when attacker-supplied XML is parsed. This can be used to trigger URL's on an internal network of a XML parsing service and allow a remote attacker to gain access to their responses.

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
5.3 medium
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    Low
  • Integrity (I)
    None
  • Availability (A)
    None
Expand this section

NVD

7.5 high
Expand this section

Red Hat

5.3 medium