Denial of Service in Nokogiri Gem Affecting Ruby Applications
CVE-2013-6460

6.5MEDIUM

Key Information:

Vendor

Ruby

Status
Nokogiri Gem
Vendor
CVE Published:
5 November 2019

What is CVE-2013-6460?

The Nokogiri gem version 1.5.x is susceptible to a Denial of Service (DoS) vulnerability due to an infinite loop that occurs when improperly formed XML documents are parsed. This issue can be exploited by crafting specific XML inputs, which could cause applications relying on the Nokogiri gem to become unresponsive, potentially leading to downtime and disruption of services. Developers using Nokogiri should ensure their applications include proper input validation and update to a patched version of the gem to mitigate this risk.

Affected Version(s)

Nokogiri gem 1.5.x

Nokogiri gem 1.6.x

References

https://security-tracker.debian.org/tracker/CVE-2013-6460
x_refsource_MISC
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6460
x_refsource_MISC
https://bugzilla.suse.com/show_bug.cgi?id=CVE-2013-6460
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.