Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among
Nokogiri's many features is the ability to search documents via XPath
or CSS3 selectors.
XML is like violence - if it doesn’t solve your problems, you are not
using enough of it.
The xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.3 does not properly prevent entity expansion, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted XML data, a different vulnerability than CVE-2014-3660.
CVE-2015-5312 - High Severity Vulnerability
Vulnerable Library - nokogiri-1.6.7.2.gem
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors. XML is like violence - if it doesn’t solve your problems, you are not using enough of it.
Library home page: https://rubygems.org/gems/nokogiri-1.6.7.2.gem
Path to dependency file: /madhon.github.io/Gemfile.lock
Path to vulnerable library: /var/lib/gems/2.3.0/cache/nokogiri-1.6.7.2-x86-mingw32.gem
Dependency Hierarchy: - github-pages-44.gem (Root Library) - jemoji-0.5.1.gem - html-pipeline-2.3.0.gem - :x: **nokogiri-1.6.7.2.gem** (Vulnerable Library)
Vulnerability Details
The xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.3 does not properly prevent entity expansion, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted XML data, a different vulnerability than CVE-2014-3660.
Publish Date: 2015-12-15
URL: CVE-2015-5312
CVSS 2 Score Details (7.1)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-5312
Release Date: 2015-12-15
Fix Resolution: 2.9.3
Step up your Open Source Security Game with WhiteSource here