CVE-2015-5312

The xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.3 does not properly prevent entity expansion, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted XML data, a different vulnerability than CVE-2014-3660.

Published Bysecalert@redhat.com

Published DateDec 15, 2015, 21:59

Affected Versions(1)

nokogiri(RubyGems)

Introduced1.6.0

Fixed1.6.7.1

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
nokogiri(RubyGems)	1.6.0	1.6.7.1	N/A

Weakness Type (CWE):CWE-399

CVSS Metrics

Base Score

7.1

Vector String

AV:N/AC:M/Au:N/C:N/I:N/A:C

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

NONE

Integrity (I)

NONE

Availability (A)

COMPLETE

References

Weakness Type (CWE):CWE-399

CVSS Metrics

Base Score

7.1

Vector String

AV:N/AC:M/Au:N/C:N/I:N/A:C

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

NONE

Integrity (I)

NONE

Availability (A)

COMPLETE