VDB

GCVE-110-MAGEIA-2021-63

GCVE-110-MAGEIA-2021-63
Advisory Published
Vulnetix · Advisory published February 4, 2021
A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby's `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being called with unsafe user input as the filename (CVE-2019-5477). In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible (CVE-2020-26247). The ruby-nokogiri package has been updated to version 1.10.10 to fix CVE-2019-5477 and patched to fix CVE-2020-26247.

Affected Products

VendorProductVersionsPlatforms
Mageiaruby-nokogiri0 (affected), 1.10.10-1.mga7 (unaffected), 0 (affected), 1.10.10-1.mga7 (unaffected)
Mageialibrecad0 (affected), 2.1.3-12.1.mga8 (unaffected)

Browse GCVE Records

72,664 records in the GCVE database · Updated July 15, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›