Home
Packages
Forums
Wiki
GitLab
Security
AUR
Download

issues
advisories
todo
stats
log
login

CVE-2021-41098 - log back

CVE-2021-41098 edited at 28 Sep 2021 08:46:16

Severity

-	Unknown
+	High

Remote

-	Unknown
+	Remote

Type

-	Unknown
+	Xml external entity injection

Description

+

In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default. Users of Nokogiri on JRuby who parse untrusted documents using any of these classes are affected: Nokogiri::XML::SAX::Parse, Nokogiri::HTML4::SAX::Parser or its alias Nokogiri::HTML::SAX::Parser, Nokogiri::XML::SAX::PushParser, and Nokogiri::HTML4::SAX::PushParser or its alias Nokogiri::HTML::SAX::PushParser.

References

+	https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-2rr5-8q37-2w7h
+	https://github.com/sparklemotion/nokogiri/pull/2328
+	https://github.com/sparklemotion/nokogiri/commit/4bd943cae3039c51c3f54de9cd76abbfb647666b

Notes

CVE-2021-41098 created at 28 Sep 2021 08:43:35