RubySec

Providing security resources for the Ruby community

CVE-2012-6685 (nokogiri): Nokogiri Gem for Ruby External Entity (XXE) Expansion Internal Network Response Remote Disclosure

ADVISORIES

GEM

nokogiri

SEVERITY

CVSS v2: 5.0

PATCHED VERSIONS

  • >= 1.5.4

DESCRIPTION

libxml2 contains a flaw that may lead to unauthorized disclosure of potentially sensitive information. The issue is triggered when handling the expansion of XML external entities (XXE), which can be used to trigger URL’s on an internal network and allow a remote attacker to gain access to their responses.