From 1fff1f506867808160bbb458698ca957e2cac20a Mon Sep 17 00:00:00 2001 From: "advisory-db[bot]" <45398580+advisory-db[bot]@users.noreply.github.com> Date: Mon, 27 Sep 2021 19:31:05 +0000 Subject: [PATCH] Add CVE-2021-41098 for GHSA-2rr5-8q37-2w7h Add CVE-2021-41098 for GHSA-2rr5-8q37-2w7h --- 2021/41xxx/CVE-2021-41098.json | 82 +++++++++++++++++++++++++++++++--- 1 file changed, 76 insertions(+), 6 deletions(-) diff --git a/2021/41xxx/CVE-2021-41098.json b/2021/41xxx/CVE-2021-41098.json index d2263636fb9..335d1541054 100644 --- a/2021/41xxx/CVE-2021-41098.json +++ b/2021/41xxx/CVE-2021-41098.json @@ -1,18 +1,88 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-41098", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "nokogiri", + "version": { + "version_data": [ + { + "version_value": "< 1.12.5" + } + ] + } + } + ] + }, + "vendor_name": "sparklemotion" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default. Users of Nokogiri on JRuby who parse untrusted documents using any of these classes are affected: Nokogiri::XML::SAX::Parse, Nokogiri::HTML4::SAX::Parser or its alias Nokogiri::HTML::SAX::Parser, Nokogiri::XML::SAX::PushParser, and Nokogiri::HTML4::SAX::PushParser or its alias Nokogiri::HTML::SAX::PushParser. JRuby users should upgrade to Nokogiri v1.12.5 or later to receive a patch for this issue. There are no workarounds available for v1.12.4 or earlier. CRuby users are not affected." } ] + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 7.5, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "version": "3.0" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-611: Improper Restriction of XML External Entity Reference" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-2rr5-8q37-2w7h", + "refsource": "CONFIRM", + "url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-2rr5-8q37-2w7h" + }, + { + "name": "https://github.com/sparklemotion/nokogiri/commit/5bf729ff3cc84709ee3c3248c981584088bf9f6d", + "refsource": "MISC", + "url": "https://github.com/sparklemotion/nokogiri/commit/5bf729ff3cc84709ee3c3248c981584088bf9f6d" + } + ] + }, + "source": { + "advisory": "GHSA-2rr5-8q37-2w7h", + "discovery": "UNKNOWN" } } \ No newline at end of file