RubySec

Providing security resources for the Ruby community

CVE-2017-16932 (nokogiri): Nokogiri gem, via libxml, is affected by DoS vulnerabilities

ADVISORIES

GEM

nokogiri

PATCHED VERSIONS

  • >= 1.8.1

DESCRIPTION

The version of libxml2 packaged with Nokogiri contains a vulnerability. Nokogiri has mitigated these issue by upgrading to libxml 2.9.5.

Wei Lei discovered that libxml2 incorrecty handled certain parameter entities. An attacker could use this issue with specially constructed XML data to cause libxml2 to consume resources, leading to a denial of service.