CVE-2020-26247

Improper Restriction of XML External Entity Reference in gem/nokogiri

Identifier

CVE-2020-26247

Package Slug

gem/nokogiri

Vulnerability

Improper Restriction of XML External Entity Reference

Description

Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible.

Affected Versions

All versions before 1.11.0

Solution

Upgrade to version 1.11.0 or above.

Last Modified

2021-01-06

source