CVE-2021-41098 : Security Advisory and Response

Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri v1.12.4 and earlier, an XXE vulnerability exists when using JRuby with certain parser classes, leading to improper restriction of XML external entity references.

Understanding CVE-2021-41098

Nokogiri on JRuby is vulnerable to an XXE issue due to the default behavior of resolving external entities in the SAX parser.

What is CVE-2021-41098?

In Nokogiri v1.12.4 and earlier on JRuby, certain parser classes resolve external entities by default, posing a security risk when parsing untrusted documents.

The Impact of CVE-2021-41098

CVSS Base Score: 7.5 (High)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Severity: High
Confidentiality Impact: High
Integrity Impact: None
JRuby users should upgrade to Nokogiri v1.12.5 or later to mitigate this vulnerability.

Technical Details of CVE-2021-41098

Nokogiri vulnerability specifics and affected systems.

Vulnerability Description

The vulnerability is due to the default behavior of resolving external entities in certain parser classes.

Affected Systems and Versions

Product: Nokogiri
Vendor: sparklemotion
Versions Affected: < 1.12.5

Exploitation Mechanism

Users of Nokogiri on JRuby parsing untrusted documents using specific classes are susceptible to XXE attacks.

Mitigation and Prevention

Actions to address the vulnerability and enhance system security.

Immediate Steps to Take

Upgrade Nokogiri to version 1.12.5 or later for JRuby users.
Avoid parsing untrusted documents with the affected parser classes.

Long-Term Security Practices

Regularly update dependencies to the latest secure versions.
Implement input validation to prevent XXE attacks.

Patching and Updates

Nokogiri v1.12.5 provides a patch for this vulnerability to safeguard systems from XXE threats.