Debian DLA-2678-1 : ruby-nokogiri security update

medium Nessus Plugin ID 150309


The remote Debian host is missing a security update.


An XXE vulnerability was found in Nokogiri, a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support.

XML Schemas parsed by Nokogiri::XML::Schema were trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. The new default behavior is to treat all input as untrusted. The upstream advisory provides further information how to mitigate the problem or restore the old behavior again. q-g5c7-m54m

For Debian 9 stretch, this problem has been fixed in version

We recommend that you upgrade your ruby-nokogiri packages.

For the detailed security status of ruby-nokogiri please refer to its security tracker page at:

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.


Upgrade the affected ruby-nokogiri package.

See Also

Plugin Details

Severity: Medium

ID: 150309

File Name: debian_DLA-2678.nasl

Version: 1.4

Type: local

Agent: unix

Published: 6/7/2021

Updated: 1/12/2024

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information


Risk Factor: Low

Score: 1.4


Risk Factor: Medium

Base Score: 4

Temporal Score: 3

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS Score Source: CVE-2020-26247


Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.8

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:ruby-nokogiri, cpe:/o:debian:debian_linux:9.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 6/6/2021

Vulnerability Publication Date: 12/30/2020

Reference Information

CVE: CVE-2020-26247