-
-
Notifications
You must be signed in to change notification settings - Fork 218
/
CVE-2018-8048.yml
37 lines (31 loc) · 1.09 KB
/
CVE-2018-8048.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
---
gem: nokogiri
cve: 2018-8048
ghsa: x7rv-cr6v-4vm4
url: https:/sparklemotion/nokogiri/pull/1746
title: Revert libxml2 behavior in Nokogiri gem that could cause XSS
date: 2018-03-29
description: |
[MRI] Behavior in libxml2 has been reverted which caused
CVE-2018-8048 (loofah gem), CVE-2018-3740 (sanitize gem), and
CVE-2018-3741 (rails-html-sanitizer gem). The commit in question is
here:
https:/GNOME/libxml2/commit/960f0e2
and more information is available about this commit and its impact
here:
https:/flavorjones/loofah/issues/144
This release simply reverts the libxml2 commit in question to protect
users of Nokogiri's vendored libraries from similar vulnerabilities.
If you're offended by what happened here, I'd kindly ask that you
comment on the upstream bug report here:
https://bugzilla.gnome.org/show_bug.cgi?id=769760
cvss_v3: 6.1
patched_versions:
- ">= 1.8.3"
related:
cve:
- 2018-3740
- 2018-3741
url:
- https:/GNOME/libxml2/commit/960f0e2
- https://bugzilla.gnome.org/show_bug.cgi?id=769760