Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among
Nokogiri's many features is the ability to search documents via XPath
or CSS3 selectors.
XML is like violence - if it doesn’t solve your problems, you are not
using enough of it.
The xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.3 does not properly prevent entity expansion, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted XML data, a different vulnerability than CVE-2014-3660.
CVE-2015-5312 - High Severity Vulnerability
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors. XML is like violence - if it doesn’t solve your problems, you are not using enough of it.
Library home page: https://rubygems.org/gems/nokogiri-1.6.7.2.gem
Path to dependency file: /madhon.github.io/Gemfile.lock
Path to vulnerable library: /var/lib/gems/2.3.0/cache/nokogiri-1.6.7.2-x86-mingw32.gem
Dependency Hierarchy: - github-pages-44.gem (Root Library) - jemoji-0.5.1.gem - html-pipeline-2.3.0.gem - :x: **nokogiri-1.6.7.2.gem** (Vulnerable Library)
The xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.3 does not properly prevent entity expansion, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted XML data, a different vulnerability than CVE-2014-3660.
Publish Date: 2015-12-15
URL: CVE-2015-5312
Base Score Metrics not available
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-5312
Release Date: 2015-12-15
Fix Resolution: 2.9.3
Step up your Open Source Security Game with WhiteSource here