Ecosyste.ms: Advisories

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWp4anItNWg2OS1xdzN3

Heap-based buffer overflow in nokogiri

Heap-based buffer overflow in the xmlGROW function in parser.c in libxml2 before 2.9.3. A remote attacker could provide a specially crafted XML or HTML file that, when processed by an application using libxml2, would cause that application to use an excessive amount of CPU, leak potentially sensitive information, or crash the application.

Permalink: https://github.com/advisories/GHSA-jxjr-5h69-qw3w
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWp4anItNWg2OS1xdzN3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 6 years ago
Updated: over 1 year ago

EPSS Percentage: 0.00967
EPSS Percentile: 0.83146

Identifiers: GHSA-jxjr-5h69-qw3w, CVE-2015-7499
References:

• https://nvd.nist.gov/vuln/detail/CVE-2015-7499
• https://bugzilla.redhat.com/show_bug.cgi?id=1281925
• https://git.gnome.org/browse/libxml2/commit/?id=28cd9cb747a94483f4aea7f0968d202c20bb4cfc
• https://git.gnome.org/browse/libxml2/commit/?id=35bcb1d758ed70aa7b257c9c3b3ff55e54e3d0da
• https://github.com/advisories/GHSA-jxjr-5h69-qw3w
• https://security.gentoo.org/glsa/201701-37
• http://lists.opensuse.org/opensuse-updates/2015-12/msg00120.html
• http://lists.opensuse.org/opensuse-updates/2016-01/msg00031.html
• http://rhn.redhat.com/errata/RHSA-2015-2549.html
• http://rhn.redhat.com/errata/RHSA-2015-2550.html
• http://www.debian.org/security/2015/dsa-3430
• http://www.ubuntu.com/usn/USN-2834-1
• http://xmlsoft.org/news.html
• https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2015-7499.yml
• https://groups.google.com/forum/#!topic/ruby-security-ann/Dy7YiKb_pMM
• https://web.archive.org/web/20210724022841/http://www.securityfocus.com/bid/79509
• https://web.archive.org/web/20211205133229/https://securitytracker.com/id/1034243

Blast Radius: 0.0

Affected Packages