Vulnerability Name:

CVE-2020-26247 (CCN-194564)

Assigned:2020-12-29
Published:2020-12-29
Updated:2022-10-19
Summary:Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible. This is fixed in Nokogiri version 1.11.0.rc4.
CVSS v3 Severity:4.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
3.8 Low (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:4.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-611
CWE-611
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2020-26247

Source: XF
Type: UNKNOWN
nokogiri-cve202026247-info-disc(194564)

Source: MISC
Type: Patch, Third Party Advisory
https://github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809cb2c3d97b

Source: MISC
Type: Release Notes, Third Party Advisory
https://github.com/sparklemotion/nokogiri/releases/tag/v1.11.0.rc4

Source: CCN
Type: Nokogiri GIT Repository
Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability

Source: CONFIRM
Type: Mitigation, Third Party Advisory
https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m

Source: MISC
Type: Permissions Required
https://hackerone.com/reports/747489

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20210606 [SECURITY] [DLA 2678-1] ruby-nokogiri security update

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20221012 [SECURITY] [DLA 3149-1] ruby-nokogiri security update

Source: MISC
Type: Product, Third Party Advisory
https://rubygems.org/gems/nokogiri

Source: GENTOO
Type: Third Party Advisory
GLSA-202208-29

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2020-26247

Vulnerable Configuration:Configuration 1:
  • cpe:/a:nokogiri:nokogiri:*:*:*:*:*:ruby:*:* (Version < 1.11.0)
  • OR cpe:/a:nokogiri:nokogiri:1.11.0:rc1:*:*:*:ruby:*:*
  • OR cpe:/a:nokogiri:nokogiri:1.11.0:rc2:*:*:*:ruby:*:*
  • OR cpe:/a:nokogiri:nokogiri:1.11.0:rc3:*:*:*:ruby:*:*

  • Configuration 2:
  • cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:10.0:*:*:*:*:*:*:*

  • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:7799
    P
    ruby2.5-rubygem-nokogiri-1.8.5-150400.14.3.1 on GA media (Moderate)
    2023-06-12
    oval:org.opensuse.security:def:95334
    P
    Security update for ncurses (Moderate) (in QA)
    2022-07-18
    oval:org.opensuse.security:def:3193
    P
    libjavascriptcoregtk-4_0-18-2.24.4-2.47.1 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:94823
    P
    ruby2.5-rubygem-nokogiri-1.8.5-150400.12.4 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:303
    P
    ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 on GA media (Moderate)
    2022-06-13
    oval:org.opensuse.security:def:357
    P
    ruby2.5-rubygem-nokogiri-1.8.5-150400.12.4 on GA media (Moderate)
    2022-06-10
    oval:org.opensuse.security:def:1232
    P
    Security update for the Linux Kernel (Important)
    2022-01-19
    oval:org.opensuse.security:def:62321
    P
    ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:101079
    P
    ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:72062
    P
    ruby2.5-rubygem-nokogiri-1.8.5-3.6.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:84184
    P
    Security update for ardana-cobbler, cassandra, cassandra-kit, crowbar-core, crowbar-openstack, documentation-suse-openstack-cloud, grafana, kibana, openstack-heat-templates, openstack-monasca-installer, openstack-nova, python-Django, python-elementpath, python-eventlet, python-py, python-pysaml2, python-six, python-xmlschema (Moderate)
    2021-07-28
    oval:org.opensuse.security:def:84643
    P
    Security update for ardana-cobbler, cassandra, cassandra-kit, crowbar-core, crowbar-openstack, documentation-suse-openstack-cloud, grafana, kibana, openstack-heat-templates, openstack-monasca-installer, openstack-nova, python-Django, python-elementpath, python-eventlet, python-py, python-pysaml2, python-six, python-xmlschema (Moderate)
    2021-07-28
    oval:org.opensuse.security:def:5786
    P
    Security update for freeradius-server (Moderate)
    2021-06-11
    oval:org.opensuse.security:def:102047
    P
    Security update for gstreamer, gstreamer-plugins-bad, gstreamer-plugins-base, gstreamer-plugins-good, gstreamer-plugins-ugly (Important)
    2021-06-01
    oval:org.opensuse.security:def:111202
    P
    Security update for rubygem-nokogiri (Important)
    2021-02-05
    oval:org.opensuse.security:def:97161
    P
    Security update for rubygem-nokogiri (Important)
    2021-02-01
    oval:org.opensuse.security:def:91880
    P
    Security update for rubygem-nokogiri (Important)
    2021-02-01
    oval:org.opensuse.security:def:109532
    P
    Security update for rubygem-nokogiri (Important)
    2021-02-01
    oval:org.opensuse.security:def:118628
    P
    Security update for rubygem-nokogiri (Important)
    2021-02-01
    oval:org.opensuse.security:def:102866
    P
    Security update for rubygem-nokogiri (Important)
    2021-02-01
    oval:org.opensuse.security:def:66492
    P
    Security update for rubygem-nokogiri (Important)
    2021-02-01
    oval:org.opensuse.security:def:8257
    P
    Security update for rubygem-nokogiri (Important)
    2021-02-01
    oval:org.opensuse.security:def:98164
    P
    Security update for rubygem-nokogiri (Important)
    2021-02-01
    oval:org.opensuse.security:def:75560
    P
    Security update for rubygem-nokogiri (Important)
    2021-02-01
    oval:org.opensuse.security:def:100314
    P
    (Important)
    2021-02-01
    oval:org.opensuse.security:def:66875
    P
    Security update for rubygem-nokogiri (Important)
    2021-02-01
    oval:org.opensuse.security:def:8324
    P
    Security update for rubygem-nokogiri (Important)
    2021-02-01
    oval:org.opensuse.security:def:104854
    P
    Security update for rubygem-nokogiri (Important)
    2021-02-01
    oval:org.opensuse.security:def:98830
    P
    Security update for rubygem-nokogiri (Important)
    2021-02-01
    oval:org.opensuse.security:def:96176
    P
    Security update for rubygem-nokogiri (Important)
    2021-02-01
    oval:org.opensuse.security:def:75943
    P
    Security update for rubygem-nokogiri (Important)
    2021-02-01
    oval:org.opensuse.security:def:5403
    P
    Security update for rubygem-nokogiri (Important)
    2021-02-01
    oval:org.opensuse.security:def:100643
    P
    (Important)
    2021-02-01
    oval:org.opensuse.security:def:91199
    P
    Security update for rubygem-nokogiri (Important)
    2021-02-01
    oval:org.opensuse.security:def:8366
    P
    Security update for rubygem-nokogiri (Important)
    2021-02-01
    oval:org.opensuse.security:def:108713
    P
    Security update for rubygem-nokogiri (Important)
    2021-02-01
    oval:org.opensuse.security:def:81085
    P
    Security update for rubygem-nokogiri (Important)
    2021-01-25
    oval:org.opensuse.security:def:88460
    P
    Security update for rubygem-nokogiri (Important)
    2021-01-25
    oval:org.opensuse.security:def:84625
    P
    Security update for rubygem-nokogiri (Important)
    2021-01-25
    BACK
    nokogiri nokogiri *
    nokogiri nokogiri 1.11.0 rc1
    nokogiri nokogiri 1.11.0 rc2
    nokogiri nokogiri 1.11.0 rc3
    debian debian linux 9.0
    debian debian linux 10.0