Detections
Analytics

Debian DLA-2678-1 : ruby-nokogiri security update

medium Nessus Plugin ID 150309

Language:

Synopsis

The remote Debian host is missing a security update.

Description

An XXE vulnerability was found in Nokogiri, a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support.

XML Schemas parsed by Nokogiri::XML::Schema were trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. The new default behavior is to treat all input as untrusted. The upstream advisory provides further information how to mitigate the problem or restore the old behavior again.

https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8 q-g5c7-m54m

For Debian 9 stretch, this problem has been fixed in version 1.6.8.1-1+deb9u1.

We recommend that you upgrade your ruby-nokogiri packages.

For the detailed security status of ruby-nokogiri please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/ruby-nokogiri

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Upgrade the affected ruby-nokogiri package.

See Also

http://www.nessus.org/u?ae52fb19

https://lists.debian.org/debian-lts-announce/2021/06/msg00007.html

https://packages.debian.org/source/stretch/ruby-nokogiri

http://www.nessus.org/u?a4325c6e

Plugin Details

Severity: Medium

ID: 150309

File Name: debian_DLA-2678.nasl

Version: 1.4

Type: local

Agent: unix

Published: 6/7/2021

Updated: 1/12/2024

Supported Sensors: Agentless Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 1.4

CVSS v2

Risk Factor: Medium

Base Score: 4

Temporal Score: 3

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS Score Source: CVE-2020-26247

CVSS v3

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.8

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:ruby-nokogiri, cpe:/o:debian:debian_linux:9.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 6/6/2021

Vulnerability Publication Date: 12/30/2020

Reference Information

CVE: CVE-2020-26247