CVE-2021-41098 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	High
Remote	Yes
Type	Xml external entity injection
Description	In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default. Users of Nokogiri on JRuby who parse untrusted documents using any of these classes are affected: Nokogiri::XML::SAX::Parse, Nokogiri::HTML4::SAX::Parser or its alias Nokogiri::HTML::SAX::Parser, Nokogiri::XML::SAX::PushParser, and Nokogiri::HTML4::SAX::PushParser or its alias Nokogiri::HTML::SAX::PushParser.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-2425	logstash	7.10.2-1		High	Not affected
AVG-2424	ruby-nokogiri	1.12.2-1		High	Not affected

References
https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-2rr5-8q37-2w7h https://github.com/sparklemotion/nokogiri/pull/2328 https://github.com/sparklemotion/nokogiri/commit/4bd943cae3039c51c3f54de9cd76abbfb647666b

References

https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-2rr5-8q37-2w7h
https://github.com/sparklemotion/nokogiri/pull/2328
https://github.com/sparklemotion/nokogiri/commit/4bd943cae3039c51c3f54de9cd76abbfb647666b