Vulnerability Description
Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default. Users of Nokogiri on JRuby who parse untrusted documents using any of these classes are affected: Nokogiri::XML::SAX::Parse, Nokogiri::HTML4::SAX::Parser or its alias Nokogiri::HTML::SAX::Parser, Nokogiri::XML::SAX::PushParser, and Nokogiri::HTML4::SAX::PushParser or its alias Nokogiri::HTML::SAX::PushParser. JRuby users should upgrade to Nokogiri v1.12.5 or later to receive a patch for this issue. There are no workarounds available for v1.12.4 or earlier. CRuby users are not affected.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nokogiri | Nokogiri | < 1.12.5 |
Related Weaknesses (CWE)
References
- https://github.com/sparklemotion/nokogiri/commit/5bf729ff3cc84709ee3c3248c981584PatchThird Party Advisory
- https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-2rr5-8q37-2w7Third Party Advisory
- https://github.com/sparklemotion/nokogiri/commit/5bf729ff3cc84709ee3c3248c981584PatchThird Party Advisory
- https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-2rr5-8q37-2w7Third Party Advisory
FAQ
What is CVE-2021-41098?
CVE-2021-41098 is a vulnerability with a CVSS score of 7.5 (HIGH). Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by def...
How severe is CVE-2021-41098?
CVE-2021-41098 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-41098?
Check the references section above for vendor advisories and patch information. Affected products include: Nokogiri Nokogiri.