Merge pull request #433 from p8/nokogiri-CVE-2020-7595

Add CVE-2020-7595 for nokogiri
rubysec · Feb 25, 2020 · 309cacf · 309cacf
2 parents d7f1839 + bfdf2d8
commit 309cacf
Showing 1 changed file with 20 additions and 0 deletions.
diff --git a/gems/nokogiri/CVE-2020-7595.yml b/gems/nokogiri/CVE-2020-7595.yml
@@ -0,0 +1,20 @@
+---
+gem: nokogiri
+cve: 2020-7595
+url: https://github.com/sparklemotion/nokogiri/issues/1992
+date: 2020-02-12
+title: libxml2 2.9.10 has an infinite loop in a certain end-of-file situation
+description: |-
+
+  Nokogiri has backported the patch for CVE-2020-7595 into its vendored version
+  of libxml2, and released this as v1.10.8
+
+  CVE-2020-7595 has not yet been addressed in an upstream libxml2 release, and
+  so Nokogiri versions <= v1.10.7 are vulnerable.
+
+patched_versions:
+  - ">= 1.10.8"
+
+cvss_v2: 5.0
+cvss_v3: 7.5
+