CVE-2020-26247 — LOW (2.6) — White Hats Nepal

Q: How severe is CVE-2020-26247?

CVE-2020-26247 has been rated LOW with a CVSS base score of 2.6/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2020-26247?

Check the references section above for vendor advisories and patch information. Affected products include: Nokogiri Nokogiri, Debian Debian Linux.

Vulnerability Description

Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible. This is fixed in Nokogiri version 1.11.0.rc4.

CVSS Score

2.6

LOW

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

LOW

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Nokogiri	Nokogiri	< 1.11.0
Debian	Debian Linux	9.0

Related Weaknesses (CWE)

CWE-611

References

https://github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809PatchThird Party Advisory
https://github.com/sparklemotion/nokogiri/releases/tag/v1.11.0.rc4Release NotesThird Party Advisory
https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54MitigationThird Party Advisory
https://hackerone.com/reports/747489Permissions Required
https://lists.debian.org/debian-lts-announce/2021/06/msg00007.htmlMailing ListThird Party Advisory
https://lists.debian.org/debian-lts-announce/2022/10/msg00018.htmlMailing ListThird Party Advisory
https://rubygems.org/gems/nokogiriProductThird Party Advisory
https://security.gentoo.org/glsa/202208-29Third Party Advisory
https://github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809PatchThird Party Advisory
https://github.com/sparklemotion/nokogiri/releases/tag/v1.11.0.rc4Release NotesThird Party Advisory
https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54MitigationThird Party Advisory
https://hackerone.com/reports/747489Permissions Required
https://lists.debian.org/debian-lts-announce/2021/06/msg00007.htmlMailing ListThird Party Advisory
https://lists.debian.org/debian-lts-announce/2022/10/msg00018.htmlMailing ListThird Party Advisory
https://rubygems.org/gems/nokogiriProductThird Party Advisory

FAQ

What is CVE-2020-26247?

CVE-2020-26247 is a vulnerability with a CVSS score of 2.6 (LOW). Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokog...

How severe is CVE-2020-26247?

CVE-2020-26247 has been rated LOW with a CVSS base score of 2.6/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-26247?

Check the references section above for vendor advisories and patch information. Affected products include: Nokogiri Nokogiri, Debian Debian Linux.