RubySec

Providing security resources for the Ruby community

CVE-2015-8806 (nokogiri): Denial of service or RCE from libxml2 and libxslt

ADVISORIES

GEM

nokogiri

SEVERITY

CVSS v3: 7.5 (High)

UNAFFECTED VERSIONS

  • < 1.6.0

PATCHED VERSIONS

  • >= 1.6.8

DESCRIPTION

Nokogiri is affected by series of vulnerabilities in libxml2 and libxslt, which are libraries Nokogiri depends on. It was discovered that libxml2 and libxslt incorrectly handled certain malformed documents, which can allow malicious users to cause issues ranging from denial of service to remote code execution attacks.

For more information, the Ubuntu Security Notice is a good start: http://www.ubuntu.com/usn/usn-2994-1/