CVE-2021-41098

Description

### Severity The Nokogiri maintainers have evaluated this as [**High Severity** 7.5 (CVSS3.0)](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C/MAV:N/MAC:L) for JRuby users. (This security advisory does not apply to CRuby users.) ### Impact In Nokogiri v1.12.4 and earlier, **on JRuby only**, the SAX parser resolves external entities by default. Users of Nokogiri on JRuby who parse untrusted documents using any of these classes are affected: - Nokogiri::XML::SAX::Parser - Nokogiri::HTML4::SAX::Parser or its alias Nokogiri::HTML::SAX::Parser - Nokogiri::XML::SAX::PushParser - Nokogiri::HTML4::SAX::PushParser or its alias Nokogiri::HTML::SAX::PushParser ### Mitigation JRuby users should upgrade to Nokogiri v1.12.5 or later. There are no workarounds available for v1.12.4 or earlier. CRuby users are not affected.

How to fix CVE-2021-41098

To remediate CVE-2021-41098, upgrade the affected package to a fixed version below.

• —upgrade to 1.12.5 or later

Is CVE-2021-41098 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 1.12.5

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-41098
• PATCHgithub.com/sparklemotion/nokogiri
• WEBgithub.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2021-41098.yml
• WEBgithub.com/sparklemotion/nokogiri/commit/5bf729ff3cc84709ee3c3248c981584088bf9f6d