UBUNTU-CVE-2020-26247

See a problem?

Source

https://ubuntu.com/security/notices/UBUNTU-CVE-2020-26247

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2020/UBUNTU-CVE-2020-26247.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2020-26247

Related

CVE-2020-26247

Published

2020-12-30T19:15:00Z

Modified

2020-12-30T19:15:00Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

[none]

Details

Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible. This is fixed in Nokogiri version 1.11.0.rc4.

References

Affected packages

Ubuntu:Pro:14.04:LTS / ruby-nokogiri

Package

Name: ruby-nokogiri

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.5.9-2

1.5.9-3

1.6.0-1

1.6.1+ds-1

1.6.1+ds-1ubuntu0.1~esm1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:Pro:16.04:LTS / ruby-nokogiri

Package

Name: ruby-nokogiri

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.6.6.2+ds-2build2

1.6.6.3-1

1.6.7-1

1.6.7.1-1

1.6.7.2-3

1.6.7.2-3build1

1.6.7.2-3ubuntu0.1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:Pro:18.04:LTS / ruby-nokogiri

Package

Name: ruby-nokogiri

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.8.0-1

1.8.1-1

1.8.1-1build1

1.8.2-1build1

1.8.2-1ubuntu0.1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:20.04:LTS / ruby-nokogiri

Package

Name: ruby-nokogiri

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.10.3+dfsg1-2

1.10.4+dfsg1-1

1.10.7+dfsg1-1

1.10.7+dfsg1-2

1.10.7+dfsg1-2build1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:22.04:LTS / ruby-nokogiri

Package

Name: ruby-nokogiri

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.11.1+dfsg-2ubuntu1

1.11.7+dfsg-3

1.11.7+dfsg-3build1

1.13.1+dfsg-2

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:24.04:LTS / ruby-nokogiri

Package

Name: ruby-nokogiri

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.14.3+dfsg-2

1.16.0+dfsg-2build1

1.16.2+dfsg-1

1.16.2+dfsg-1build1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}