CVE-2021-41098 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2021-41098 Interim 1 22 2023-08-28T23:37:18Z current 2021-09-29T01:16:55Z 2023-08-28T23:37:18Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2021-41098 Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default. Users of Nokogiri on JRuby who parse untrusted documents using any of these classes are affected: Nokogiri::XML::SAX::Parse, Nokogiri::HTML4::SAX::Parser or its alias Nokogiri::HTML::SAX::Parser, Nokogiri::XML::SAX::PushParser, and Nokogiri::HTML4::SAX::PushParser or its alias Nokogiri::HTML::SAX::PushParser. JRuby users should upgrade to Nokogiri v1.12.5 or later to receive a patch for this issue. There are no workarounds available for v1.12.4 or earlier. CRuby users are not affected. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Linux Enterprise High Availability Extension 15 SUSE Linux Enterprise High Availability Extension 15 SP1 SUSE Linux Enterprise High Availability Extension 15 SP2 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud Crowbar 9 openSUSE Tumbleweed ruby2.1-rubygem-nokogiri ruby2.5-rubygem-nokogiri ruby2.7-rubygem-nokogiri-1.12.5-1.1 ruby3.0-rubygem-nokogiri-1.12.5-1.1 ruby3.1-rubygem-nokogiri-1.13.3-1.1 ruby3.2-rubygem-nokogiri-1.13.9-1.7 rubygem-nokogiri ruby2.7-rubygem-nokogiri-1.12.5-1.1 as a component of openSUSE Tumbleweed ruby3.0-rubygem-nokogiri-1.12.5-1.1 as a component of openSUSE Tumbleweed ruby3.1-rubygem-nokogiri-1.13.3-1.1 as a component of openSUSE Tumbleweed ruby3.2-rubygem-nokogiri-1.13.9-1.7 as a component of openSUSE Tumbleweed ruby2.5-rubygem-nokogiri as a component of SUSE Linux Enterprise High Availability Extension 15 rubygem-nokogiri as a component of SUSE Linux Enterprise High Availability Extension 15 ruby2.5-rubygem-nokogiri as a component of SUSE Linux Enterprise High Availability Extension 15 SP1 rubygem-nokogiri as a component of SUSE Linux Enterprise High Availability Extension 15 SP1 ruby2.5-rubygem-nokogiri as a component of SUSE Linux Enterprise High Availability Extension 15 SP2 rubygem-nokogiri as a component of SUSE Linux Enterprise High Availability Extension 15 SP2 ruby2.1-rubygem-nokogiri as a component of SUSE OpenStack Cloud Crowbar 8 rubygem-nokogiri as a component of SUSE OpenStack Cloud Crowbar 8 ruby2.1-rubygem-nokogiri as a component of SUSE OpenStack Cloud Crowbar 9 rubygem-nokogiri as a component of SUSE OpenStack Cloud Crowbar 9 Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default. Users of Nokogiri on JRuby who parse untrusted documents using any of these classes are affected: Nokogiri::XML::SAX::Parse, Nokogiri::HTML4::SAX::Parser or its alias Nokogiri::HTML::SAX::Parser, Nokogiri::XML::SAX::PushParser, and Nokogiri::HTML4::SAX::PushParser or its alias Nokogiri::HTML::SAX::PushParser. JRuby users should upgrade to Nokogiri v1.12.5 or later to receive a patch for this issue. There are no workarounds available for v1.12.4 or earlier. CRuby users are not affected. CVE-2021-41098 openSUSE Tumbleweed:ruby2.7-rubygem-nokogiri-1.12.5-1.1 openSUSE Tumbleweed:ruby3.0-rubygem-nokogiri-1.12.5-1.1 openSUSE Tumbleweed:ruby3.1-rubygem-nokogiri-1.13.3-1.1 openSUSE Tumbleweed:ruby3.2-rubygem-nokogiri-1.13.9-1.7 SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-nokogiri SUSE Linux Enterprise High Availability Extension 15 SP1:rubygem-nokogiri SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-nokogiri SUSE Linux Enterprise High Availability Extension 15 SP2:rubygem-nokogiri SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-nokogiri SUSE Linux Enterprise High Availability Extension 15:rubygem-nokogiri SUSE OpenStack Cloud Crowbar 8:ruby2.1-rubygem-nokogiri SUSE OpenStack Cloud Crowbar 8:rubygem-nokogiri SUSE OpenStack Cloud Crowbar 9:ruby2.1-rubygem-nokogiri SUSE OpenStack Cloud Crowbar 9:rubygem-nokogiri important 5 AV:N/AC:L/Au:N/C:P/I:N/A:N 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N