漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Nokogiri: XML::Schema on JRuby allows network requests when NONET is set, bypassing CVE-2020-26247
Vulnerability Description
Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, the NONET parse option, which Nokogiri turns on by default for Nokogiri::XML::Schema (see CVE-2020-26247), was not correctly enforced on the JRuby implementation. As a result, a schema parsed with default options could still cause external resources to be fetched over the network, potentially enabling SSRF or XXE attacks. This vulnerability is fixed in 1.19.4.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
Vulnerability Type
大小写敏感处理不恰当
Vulnerability Title
Sparkle Motion Nokogiri 输入验证错误漏洞
Vulnerability Description
Sparkle Motion Nokogiri是Sparkle Motion个人开发者的一个HTML、XML和SAX解析库。 Sparkle Motion Nokogiri 1.19.4之前版本存在输入验证错误漏洞,该漏洞源于NONET解析选项在JRuby实现中未正确强制执行,可能导致通过默认选项解析的schema仍能获取外部资源,从而引发SSRF或XXE攻击。
CVSS Information
N/A
Vulnerability Type
N/A