CVE-2020-7595 (nokogiri): libxml2 2.9.10 has an infinite loop in a certain end-of-file situation

February 12th, 2020

ADVISORIES

GEM

SEVERITY

CVSS v3.x: 7.5 (High)

CVSS v2.0: 5.0 (Medium)

PATCHED VERSIONS

>= 1.10.8

DESCRIPTION

Nokogiri has backported the patch for CVE-2020-7595 into its vendored version of libxml2, and released this as v1.10.8

CVE-2020-7595 has not yet been addressed in an upstream libxml2 release, and so Nokogiri versions <= v1.10.7 are vulnerable.