RSS   Podatności dla 'Nokogiri'   RSS

2022-04-11
 
CVE-2022-24836

NVD-CWE-Other
 

 
Nokogiri is an open source XML and HTML library for Ruby. Nokogiri `< v1.13.4` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Users are advised to upgrade to Nokogiri `>= 1.13.4`. There are no known workarounds for this issue.

 
2020-12-30
 
CVE-2020-26247

CWE-611
 

 
Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible. This is fixed in Nokogiri version 1.11.0.rc4.

 
2020-02-19
 
CVE-2012-6685

CWE-776
 

 
Nokogiri before 1.5.4 is vulnerable to XXE attacks

 
2019-11-05
 
CVE-2013-6461

CWE-776
 

 
Nokogiri gem 1.5.x and 1.6.x has DoS while parsing XML entities by failing to apply limits

 
 
CVE-2013-6460

CWE-776
 

 
Nokogiri gem 1.5.x has Denial of Service via infinite loop when parsing XML documents

 
2019-08-16
 
CVE-2019-5477

CWE-77
 

 
A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby's `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being called with unsafe user input as the filename. This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.

 


Copyright 2022, cxsecurity.com

 

Back to Top