Bug 1912487 (CVE-2020-26247)

Summary: CVE-2020-26247 rubygem-nokogiri: XML external entity injection via Nokogiri::XML::Schema
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: akarol, amasferr, bbuckingham, bcourt, bkearney, btotty, chazlett, dmetzger, extras-orphan, gmccullo, gtanzill, hhudgeon, jhardy, kaycoth, lzap, mcascell, mmccune, mtasaka, nmoumoul, pvalena, rchan, rhel8-maint, rjerrido, roliveri, rtillery, simaishi, smallamp, sokeeffe, vanmeeuwen+fedora, vondruch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: rubygem-nokogiri 1.11.0.rc4 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Nokogiri. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XML External Entity (XXE) or Server-side request forgery (SSRF) attacks. The highest threat from this vulnerability is to data confidentiality.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-28 11:00:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1912488, 1912490, 1914234, 1914235, 1914236, 1915396, 1915398, 1915399    
Bug Blocks: 1912492    

Description Pedro Sampaio 2021-01-04 15:18:55 UTC 
In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks.

References:

https://github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809cb2c3d97b
https://github.com/sparklemotion/nokogiri/releases/tag/v1.11.0.rc4
https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m
https://hackerone.com/reports/747489
https://rubygems.org/gems/nokogiri
Comment 1 Pedro Sampaio 2021-01-04 15:19:47 UTC 
Created rubygem-nokogiri tracking bugs for this issue:

Affects: epel-7 [bug 1912490]
Affects: fedora-all [bug 1912488]
Comment 4 Mauro Matteo Cascella 2021-01-11 15:39:39 UTC 
External References:

https://github.com/advisories/GHSA-vr8q-g5c7-m54m
Comment 5 Mauro Matteo Cascella 2021-01-11 16:24:53 UTC 
Mitigation:

There are no known workarounds for affected versions. Please refer to the upstream advisory page for additional information.
Comment 14 errata-xmlrpc 2021-11-16 14:07:50 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.10 for RHEL 7

Via RHSA-2021:4702 https://access.redhat.com/errata/RHSA-2021:4702
Comment 15 errata-xmlrpc 2021-12-16 18:03:07 UTC 
This issue has been addressed in the following products:

  3scale API Management

Via RHSA-2021:5191 https://access.redhat.com/errata/RHSA-2021:5191