HIGH
GHSA-xjqg-9jvg-fgx2
Nokogiri subject to DoS via libxml2 vulnerability
상세
The xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.3 (as used in nokogiri before 1.6.7.1) does not properly prevent entity expansion, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted XML data, a different vulnerability than CVE-2014-3660.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
참고
- https://nvd.nist.gov/vuln/detail/CVE-2015-5312 [ADVISORY]
- https://bugzilla.redhat.com/show_bug.cgi?id=1276693 [WEB]
- https://git.gnome.org/browse/libxml2/commit/?id=69030714cde66d525a8884bda01b9e8f0abf8e1e [WEB]
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2015-5312.yml [WEB]
- https://groups.google.com/forum/#!topic/ruby-security-ann/aSbgDiwb24s [WEB]
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04944172 [WEB]
- https://security.gentoo.org/glsa/201701-37 [WEB]
- https://support.apple.com/HT206166 [WEB]
- https://support.apple.com/HT206167 [WEB]
- https://support.apple.com/HT206168 [WEB]
- https://support.apple.com/HT206169 [WEB]
- http://lists.apple.com/archives/security-announce/2016/Mar/msg00000.html [WEB]
- http://lists.opensuse.org/opensuse-updates/2015-12/msg00120.html [WEB]
- http://lists.opensuse.org/opensuse-updates/2016-01/msg00031.html [WEB]
- http://marc.info/?l=bugtraq&m=145382616617563&w=2 [WEB]
- http://rhn.redhat.com/errata/RHSA-2015-2549.html [WEB]
- http://rhn.redhat.com/errata/RHSA-2015-2550.html [WEB]
- http://www.debian.org/security/2015/dsa-3430 [WEB]
- http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html [WEB]
- http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html [WEB]
- http://www.ubuntu.com/usn/USN-2834-1 [WEB]
- http://xmlsoft.org/news.html [WEB]