Miggo Logo

CVE-2020-26247: Nokogiri::XML::Schema trusts input by default, exposing risk of XXE vulnerability

4.3

CVSS Score
3.1

Basic Information

EPSS Score
0.77483%
Published
12/30/2020
Updated
5/4/2023
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
nokogirirubygems<= 1.10.101.11.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from schema parsing functions not restricting network access by default. The patch introduced ParseOptions with NONET flag as default, requiring explicit opt-in for network access. The key vulnerable functions are the schema initialization methods (new, from_document, read_memory) that lacked these security restrictions in their parameter handling prior to 1.11.0.rc4. The diff shows these functions were modified to accept ParseOptions parameters and set NONET by default, confirming their role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### S*v*rity Noko*iri m*int*in*rs **v* *v*lu*t** t*is *s [__Low S*v*rity__ (*VSS* *.*)](*ttps://www.*irst.or*/*vss/**l*ul*tor/*.*#*VSS:*.*/*V:N/**:*/PR:L/UI:R/S:U/*:L/I:N/*:N). ### **s*ription In Noko*iri v*rsions <= *.**.*.r**, XML S***m*s p*rs*

Reasoning

T** vuln*r**ility st*ms *rom s***m* p*rsin* *un*tions not r*stri*tin* n*twork ****ss *y ****ult. T** p*t** intro*u*** P*rs*Options wit* NON*T *l** *s ****ult, r*quirin* *xpli*it opt-in *or n*twork ****ss. T** k*y vuln*r**l* *un*tions *r* t** s***m* i