CVE-2017-15412 (nokogiri): Nokogiri gem, via libxml, is affected by DoS vulnerabilities

Nokogiri gem, via libxml, is affected by DoS vulnerabilities

Published: January 29, 2018

SECURITY IDENTIFIERS

CVE: CVE-2017-15412 (NVD)
GHSA: GHSA-r58r-74gx-6wx3
Vendor Advisory: https://github.com/sparklemotion/nokogiri/issues/1714

GEM

nokogiri

SEVERITY

CVSS v3.x: 8.8 (High)

PATCHED VERSIONS

>= 1.8.2

DESCRIPTION

The version of libxml2 packaged with Nokogiri contains a vulnerability. Nokogiri has mitigated these issue by upgrading to libxml 2.9.6.

It was discovered that libxml2 incorrecty handled certain files. An attacker could use this issue with specially constructed XML data to cause libxml2 to consume resources, leading to a denial of service.

CVE-2017-18258 (NVD)
https://usn.ubuntu.com/usn/usn-3513-1/
https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-15412.html

RubySec