CVE-2021-41098 log

Source
Severity High
Remote Yes
Type Xml external entity injection
Description
In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default. Users of Nokogiri on JRuby who parse untrusted documents using any of these classes are affected: Nokogiri::XML::SAX::Parse, Nokogiri::HTML4::SAX::Parser or its alias Nokogiri::HTML::SAX::Parser, Nokogiri::XML::SAX::PushParser, and Nokogiri::HTML4::SAX::PushParser or its alias Nokogiri::HTML::SAX::PushParser.
Group Package Affected Fixed Severity Status Ticket
AVG-2425 logstash 7.10.1-1 High Vulnerable
AVG-2424 ruby-nokogiri 1.12.2-1 High Not affected
References
https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-2rr5-8q37-2w7h
https://github.com/sparklemotion/nokogiri/pull/2328
https://github.com/sparklemotion/nokogiri/commit/4bd943cae3039c51c3f54de9cd76abbfb647666b