CVSS v2.0: 5.0 (Medium)
- < 1.6.0
- >= 184.108.40.206
Nokogiri version 220.127.116.11 has been released, pulling in several upstream patches to the vendored libxml2 to address the following CVE:
CVE-2015-7499 CVSS v2 Base Score: 5.0 (MEDIUM)
Heap-based buffer overflow in the xmlGROW function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to obtain sensitive process memory information via unspecified vectors.
libxml2 could be made to crash if it opened a specially crafted file. It was discovered that libxml2 incorrectly handled certain malformed documents. If a user or automated system were tricked into opening a specially crafted document, an attacker could possibly cause libxml2 to crash, resulting in a denial of service.