1912487 – (CVE-2020-26247) CVE-2020-26247 rubygem-nokogiri: XML external entity injection via Nokogiri::XML::Schema

Bug 1912487 (CVE-2020-26247) - CVE-2020-26247 rubygem-nokogiri: XML external entity injection via Nokogiri::XML::Schema

Summary: CVE-2020-26247 rubygem-nokogiri: XML external entity injection via Nokogiri::...

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2020-26247
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1912488 1912490 1914234 1914235 1914236 1915396 1915398 1915399
Blocks:	1912492
TreeView+	depends on / blocked

Reported:	2021-01-04 15:18 UTC by Pedro Sampaio
Modified:	2021-12-16 18:03 UTC (History)
CC List:	30 users (show)
Fixed In Version:	rubygem-nokogiri 1.11.0.rc4
Clone Of:
Environment:
Last Closed:	2021-10-28 11:00:44 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2021:4702	0	None	None	None	2021-11-16 14:07:51 UTC
Red Hat Product Errata	RHSA-2021:5191	0	None	None	None	2021-12-16 18:03:09 UTC

Description Pedro Sampaio 2021-01-04 15:18:55 UTC

In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks.

References:

https://github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809cb2c3d97b
https://github.com/sparklemotion/nokogiri/releases/tag/v1.11.0.rc4
https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m
https://hackerone.com/reports/747489
https://rubygems.org/gems/nokogiri

Comment 1 Pedro Sampaio 2021-01-04 15:19:47 UTC

Created rubygem-nokogiri tracking bugs for this issue:

Affects: epel-7 [bug 1912490]
Affects: fedora-all [bug 1912488]

Comment 4 Mauro Matteo Cascella 2021-01-11 15:39:39 UTC

External References:

https://github.com/advisories/GHSA-vr8q-g5c7-m54m

Comment 5 Mauro Matteo Cascella 2021-01-11 16:24:53 UTC

Mitigation:

There are no known workarounds for affected versions. Please refer to the upstream advisory page for additional information.

Comment 14 errata-xmlrpc 2021-11-16 14:07:50 UTC

This issue has been addressed in the following products:

  Red Hat Satellite 6.10 for RHEL 7

Via RHSA-2021:4702 https://access.redhat.com/errata/RHSA-2021:4702

Comment 15 errata-xmlrpc 2021-12-16 18:03:07 UTC

This issue has been addressed in the following products:

  3scale API Management

Via RHSA-2021:5191 https://access.redhat.com/errata/RHSA-2021:5191

Note You need to log in before you can comment on or make changes to this bug.

akarol
amasferr
bbuckingham
bcourt
bkearney
btotty
chazlett
dmetzger
extras-orphan
gmccullo
gtanzill
hhudgeon
jhardy
kaycoth
lzap
mcascell
mmccune
mtasaka
nmoumoul
pvalena
rchan
rhel8-maint
rjerrido
roliveri
rtillery
simaishi
smallamp
sokeeffe
vanmeeuwen+fedora
vondruch