Information Exposure Affecting nokogiri package, versions < 1.5.4


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.25% (64th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-RUBY-NOKOGIRI-20032
  • published7 Jun 2012
  • disclosed7 Jun 2012
  • creditFelix Gröbert

Introduced: 7 Jun 2012

CVE-2012-6685  (opens in a new tab)
CWE-200  (opens in a new tab)

Overview

nokogiri is an HTML, XML, SAX, and Reader parser, with the ability to search documents via XPath or CSS3 selectors. Affected versions of this Gem are vulnerable to Sensitive Information Exposure.

Details

libxml2 contains a flaw that may lead to unauthorized disclosure of potentially sensitive information. The issue is triggered when handling the expansion of XML external entities (XXE), you can specify URLs (e.g. HTTP) to be contacted when attacker-supplied XML is parsed. This can be used to trigger URL's on an internal network of a XML parsing service and allow a remote attacker to gain access to their responses.

CVSS Scores

version 3.1