What is CVE-2021-41098?

CVE-2021-41098 is a high-severity vulnerability in Sparklemotion Nokogiri, classified under Improper Restriction of XML External Entity Reference (XXE). CVSS score: 7.5/10. Published 2021-09-27.

How severe is CVE-2021-41098?

High severity. CVSS v3 base score is 7.5 out of 10.

XXE in Sparklemotion Nokogiri

CVE-2021-41098

Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default. Users of Nokogiri on JRuby who pa…

Vulnerability class: XXE (XML External Entity)

EPSS: 0.003 (48.7th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.5 (High). Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.

Affected products

Sparklemotion Nokogiri — versions < 1.12.5

Weakness classification (CWE)

CWE-611 — Improper Restriction of XML External Entity Reference (XXE)

References

github.com/sparklemotion/nokogiri/security/advisories/GHSA-2rr5-8q37-2w7h (x_refsource_CONFIRM)
github.com/sparklemotion/nokogiri/commit/5bf729ff3cc84709ee3c3248c981584088bf9f… (x_refsource_MISC)

Frequently asked questions

What is CVE-2021-41098?: CVE-2021-41098 is a high-severity vulnerability in Sparklemotion Nokogiri, classified under Improper Restriction of XML External Entity Reference (XXE). CVSS score: 7.5/10. Published 2021-09-27.
How severe is CVE-2021-41098?: High severity. CVSS v3 base score is 7.5 out of 10.