XXE in Sparklemotion Nokogiri
CVE-2020-26247
Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default…
Vulnerability class: XXE (XML External Entity)
EPSS: 0.003 (49.6th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 2.6 (Low). Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N.
Affected products
- Sparklemotion Nokogiri — versions < 1.11.0.rc4
Weakness classification (CWE)
Public proof-of-concept exploits
References
- github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m
- rubygems.org/gems/nokogiri
- hackerone.com/reports/747489
- github.com/sparklemotion/nokogiri/releases/tag/v1.11.0.rc4
- github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809cb2c3d9…
- [debian-lts-announce] 20210606 [SECURITY] [DLA 2678-1] ruby-nokogiri security update (mailing-list)
- GLSA-202208-29 (vendor-advisory)
- [debian-lts-announce] 20221012 [SECURITY] [DLA 3149-1] ruby-nokogiri security update (mailing-list)
Frequently asked questions
- What is CVE-2020-26247?
- CVE-2020-26247 is a low-severity vulnerability in Sparklemotion Nokogiri, classified under Improper Restriction of XML External Entity Reference (XXE). CVSS score: 2.6/10. Published 2020-12-30.
- How severe is CVE-2020-26247?
- Low severity. CVSS v3 base score is 2.6 out of 10.
- Is CVE-2020-26247 known to be exploited?
- 3 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.