Moderate severityNVD Advisory· Published Dec 30, 2020· Updated Aug 4, 2024
XXE in Nokogiri
CVE-2020-26247
Description
Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible. This is fixed in Nokogiri version 1.11.0.rc4.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
nokogiriRubyGems | < 1.11.0 | 1.11.0 |
Affected products
116- ghsa-coords115 versionspkg:gem/nokogiripkg:rpm/opensuse/rubygem-nokogiri&distro=openSUSE%20Leap%2015.2pkg:rpm/suse/ardana-cobbler&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/ardana-cobbler&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/cassandra&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/cassandra&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/cassandra&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/crowbar-core&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/crowbar-openstack&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/documentation-hpe-helion-openstack-installation&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/documentation-hpe-helion-openstack-operations&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/documentation-hpe-helion-openstack-opsconsole&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/documentation-hpe-helion-openstack-planning&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/documentation-hpe-helion-openstack-security&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/documentation-hpe-helion-openstack-user&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/documentation-suse-openstack-cloud-deployment&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/documentation-suse-openstack-cloud-installation&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/documentation-suse-openstack-cloud-operations&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/documentation-suse-openstack-cloud-opsconsole&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/documentation-suse-openstack-cloud-planning&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/documentation-suse-openstack-cloud-security&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/documentation-suse-openstack-cloud-supplement&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/documentation-suse-openstack-cloud-supplement&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/documentation-suse-openstack-cloud-upstream-admin&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/documentation-suse-openstack-cloud-upstream-admin&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/documentation-suse-openstack-cloud-upstream-user&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/documentation-suse-openstack-cloud-upstream-user&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/documentation-suse-openstack-cloud-user&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/grafana&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/grafana&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/grafana&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/kibana&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/kibana&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/kibana&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/openstack-heat-templates&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/openstack-heat-templates&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/openstack-heat-templates&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/openstack-monasca-installer&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/openstack-monasca-installer&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/openstack-monasca-installer&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/openstack-nova&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/openstack-nova&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/openstack-nova&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/openstack-nova-doc&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/openstack-nova-doc&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/openstack-nova-doc&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/python-Django&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/python-Django&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/python-Django&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/python-elementpath&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/python-elementpath&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/python-elementpath&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/python-eventlet&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/python-eventlet&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/python-eventlet&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/python-py&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/python-py&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/python-py&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/python-pysaml2&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/python-pysaml2&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/python-pysaml2&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/python-xmlschema&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/python-xmlschema&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/python-xmlschema&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/rubygem-activerecord-session_store&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/rubygem-nokogiri&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015pkg:rpm/suse/rubygem-nokogiri&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP1pkg:rpm/suse/rubygem-nokogiri&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP2pkg:rpm/suse/rubygem-nokogiri&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/rubygem-nokogiri&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/rubygem-nokogiri&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/venv-openstack-aodh&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/venv-openstack-aodh&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/venv-openstack-barbican&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/venv-openstack-barbican&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/venv-openstack-ceilometer&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/venv-openstack-ceilometer&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/venv-openstack-cinder&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/venv-openstack-cinder&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/venv-openstack-designate&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/venv-openstack-designate&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/venv-openstack-freezer&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/venv-openstack-freezer&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/venv-openstack-glance&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/venv-openstack-glance&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/venv-openstack-heat&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/venv-openstack-heat&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/venv-openstack-horizon&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/venv-openstack-horizon-hpe&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/venv-openstack-ironic&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/venv-openstack-ironic&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/venv-openstack-keystone&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/venv-openstack-keystone&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/venv-openstack-magnum&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/venv-openstack-magnum&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/venv-openstack-manila&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/venv-openstack-manila&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/venv-openstack-monasca-ceilometer&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/venv-openstack-monasca-ceilometer&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/venv-openstack-monasca&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/venv-openstack-monasca&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/venv-openstack-murano&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/venv-openstack-murano&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/venv-openstack-neutron&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/venv-openstack-neutron&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/venv-openstack-nova&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/venv-openstack-nova&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/venv-openstack-octavia&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/venv-openstack-octavia&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/venv-openstack-sahara&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/venv-openstack-sahara&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/venv-openstack-swift&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/venv-openstack-swift&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/venv-openstack-trove&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/venv-openstack-trove&distro=SUSE%20OpenStack%20Cloud%208
< 1.11.0+ 114 more
- (no CPE)range: < 1.11.0
- (no CPE)range: < 1.8.5-lp152.4.3.1
- (no CPE)range: < 8.0+git.1614096566.e8c2b27-3.44.3
- (no CPE)range: < 8.0+git.1614096566.e8c2b27-3.44.3
- (no CPE)range: < 3.11.10-5.3.5
- (no CPE)range: < 3.11.10-5.3.5
- (no CPE)range: < 3.11.10-5.3.5
- (no CPE)range: < 5.0+git.1622489449.a8e60e238-3.50.4
- (no CPE)range: < 5.0+git.1616001417.67fd9c2a1-4.52.5
- (no CPE)range: < 8.20210512-1.32.5
- (no CPE)range: < 8.20210512-1.32.5
- (no CPE)range: < 8.20210512-1.32.5
- (no CPE)range: < 8.20210512-1.32.5
- (no CPE)range: < 8.20210512-1.32.5
- (no CPE)range: < 8.20210512-1.32.5
- (no CPE)range: < 8.20210512-1.32.5
- (no CPE)range: < 8.20210512-1.32.5
- (no CPE)range: < 8.20210512-1.32.5
- (no CPE)range: < 8.20210512-1.32.5
- (no CPE)range: < 8.20210512-1.32.5
- (no CPE)range: < 8.20210512-1.32.5
- (no CPE)range: < 8.20210512-1.32.5
- (no CPE)range: < 8.20210512-1.32.5
- (no CPE)range: < 8.20210512-1.32.5
- (no CPE)range: < 8.20210512-1.32.5
- (no CPE)range: < 8.20210512-1.32.5
- (no CPE)range: < 8.20210512-1.32.5
- (no CPE)range: < 8.20210512-1.32.5
- (no CPE)range: < 6.7.4-4.18.2
- (no CPE)range: < 6.7.4-4.18.2
- (no CPE)range: < 6.7.4-4.18.2
- (no CPE)range: < 4.6.6-3.9.2
- (no CPE)range: < 4.6.6-3.9.2
- (no CPE)range: < 4.6.6-3.9.2
- (no CPE)range: < 0.0.0+git.1623056900.7917e18-3.21.3
- (no CPE)range: < 0.0.0+git.1623056900.7917e18-3.21.3
- (no CPE)range: < 0.0.0+git.1623056900.7917e18-3.21.3
- (no CPE)range: < 20190923_16.32-3.18.2
- (no CPE)range: < 20190923_16.32-3.18.2
- (no CPE)range: < 20190923_16.32-3.18.2
- (no CPE)range: < 16.1.9~dev92-3.48.5
- (no CPE)range: < 16.1.9~dev92-3.48.5
- (no CPE)range: < 16.1.9~dev92-3.48.5
- (no CPE)range: < 16.1.9~dev92-3.48.5
- (no CPE)range: < 16.1.9~dev92-3.48.5
- (no CPE)range: < 16.1.9~dev92-3.48.5
- (no CPE)range: < 1.11.29-3.25.3
- (no CPE)range: < 1.11.29-3.25.3
- (no CPE)range: < 1.11.29-3.25.3
- (no CPE)range: < 1.3.1-1.3.2
- (no CPE)range: < 1.3.1-1.3.2
- (no CPE)range: < 1.3.1-1.3.2
- (no CPE)range: < 0.20.0-6.3.3
- (no CPE)range: < 0.20.0-6.3.3
- (no CPE)range: < 0.20.0-6.3.3
- (no CPE)range: < 1.4.34-3.3.3
- (no CPE)range: < 1.4.34-3.3.3
- (no CPE)range: < 1.4.34-3.3.3
- (no CPE)range: < 4.0.2-5.9.2
- (no CPE)range: < 4.0.2-5.9.2
- (no CPE)range: < 4.0.2-5.9.2
- (no CPE)range: < 1.0.18-1.3.3
- (no CPE)range: < 1.0.18-1.3.3
- (no CPE)range: < 1.0.18-1.3.3
- (no CPE)range: < 0.1.2-3.3.2
- (no CPE)range: < 1.8.5-3.6.1
- (no CPE)range: < 1.8.5-3.6.1
- (no CPE)range: < 1.8.5-3.6.1
- (no CPE)range: < 1.6.1-5.3.1
- (no CPE)range: < 1.6.1-5.3.1
- (no CPE)range: < 1.6.1-5.3.1
- (no CPE)range: < 5.1.1~dev7-12.32.3
- (no CPE)range: < 5.1.1~dev7-12.32.3
- (no CPE)range: < 5.0.2~dev3-12.33.3
- (no CPE)range: < 5.0.2~dev3-12.33.3
- (no CPE)range: < 9.0.8~dev7-12.30.3
- (no CPE)range: < 9.0.8~dev7-12.30.3
- (no CPE)range: < 11.2.3~dev29-14.34.2
- (no CPE)range: < 11.2.3~dev29-14.34.2
- (no CPE)range: < 5.0.3~dev7-12.31.3
- (no CPE)range: < 5.0.3~dev7-12.31.3
- (no CPE)range: < 5.0.0.0~xrc2~dev2-10.28.3
- (no CPE)range: < 5.0.0.0~xrc2~dev2-10.28.3
- (no CPE)range: < 15.0.3~dev3-12.31.3
- (no CPE)range: < 15.0.3~dev3-12.31.3
- (no CPE)range: < 9.0.8~dev22-12.33.2
- (no CPE)range: < 9.0.8~dev22-12.33.2
- (no CPE)range: < 12.0.5~dev6-14.36.6
- (no CPE)range: < 12.0.5~dev6-14.36.3
- (no CPE)range: < 9.1.8~dev8-12.33.3
- (no CPE)range: < 9.1.8~dev8-12.33.3
- (no CPE)range: < 12.0.4~dev11-11.35.3
- (no CPE)range: < 12.0.4~dev11-11.35.3
- (no CPE)range: < 5.0.2_5.0.2_5.0.2~dev31-11.32.2
- (no CPE)range: < 5.0.2_5.0.2_5.0.2~dev31-11.32.2
- (no CPE)range: < 5.1.1~dev5-12.37.3
- (no CPE)range: < 5.1.1~dev5-12.37.3
- (no CPE)range: < 1.5.1_1.5.1_1.5.1~dev3-8.28.3
- (no CPE)range: < 1.5.1_1.5.1_1.5.1~dev3-8.28.3
- (no CPE)range: < 2.2.2~dev1-11.28.3
- (no CPE)range: < 2.2.2~dev1-11.28.3
- (no CPE)range: < 4.0.2~dev2-12.28.3
- (no CPE)range: < 4.0.2~dev2-12.28.3
- (no CPE)range: < 11.0.9~dev69-13.38.3
- (no CPE)range: < 11.0.9~dev69-13.38.3
- (no CPE)range: < 16.1.9~dev92-11.36.3
- (no CPE)range: < 16.1.9~dev92-11.36.3
- (no CPE)range: < 1.0.6~dev3-12.33.3
- (no CPE)range: < 1.0.6~dev3-12.33.3
- (no CPE)range: < 7.0.5~dev4-11.32.3
- (no CPE)range: < 7.0.5~dev4-11.32.3
- (no CPE)range: < 2.15.2_2.15.2_2.15.2~dev32-11.23.3
- (no CPE)range: < 2.15.2_2.15.2_2.15.2~dev32-11.23.3
- (no CPE)range: < 8.0.2~dev2-11.32.3
- (no CPE)range: < 8.0.2~dev2-11.32.3
- Range: < 1.11.0.rc4
Patches
Vulnerability mechanics
References
12- github.com/advisories/GHSA-vr8q-g5c7-m54mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-26247ghsaADVISORY
- security.gentoo.org/glsa/202208-29ghsavendor-advisoryWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2020-26247.ymlghsaWEB
- github.com/sparklemotion/nokogiri/blob/main/CHANGELOG.mdghsaWEB
- github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809cb2c3d97bghsaWEB
- github.com/sparklemotion/nokogiri/releases/tag/v1.11.0.rc4ghsaWEB
- github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54mghsaWEB
- hackerone.com/reports/747489ghsaWEB
- lists.debian.org/debian-lts-announce/2021/06/msg00007.htmlghsamailing-listWEB
- lists.debian.org/debian-lts-announce/2022/10/msg00018.htmlghsamailing-listWEB
- rubygems.org/gems/nokogirighsaWEB
News mentions
0No linked articles in our index yet.