GSD-2015-8806
Vulnerability from gsd - Updated: 2016-06-07 00:00Details
Nokogiri is affected by series of vulnerabilities in libxml2 and libxslt,
which are libraries Nokogiri depends on. It was discovered that libxml2 and
libxslt incorrectly handled certain malformed documents, which can allow
malicious users to cause issues ranging from denial of service to remote code
execution attacks.
For more information, the Ubuntu Security Notice is a good start:
http://www.ubuntu.com/usn/usn-2994-1/
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2015-8806",
"description": "dict.c in libxml2 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via an unexpected character immediately after the \"\u003c!DOCTYPE html\" substring in a crafted HTML document.",
"id": "GSD-2015-8806",
"references": [
"https://www.suse.com/security/cve/CVE-2015-8806.html",
"https://www.debian.org/security/2016/dsa-3593",
"https://ubuntu.com/security/CVE-2015-8806",
"https://advisories.mageia.org/CVE-2015-8806.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "nokogiri",
"purl": "pkg:gem/nokogiri"
}
}
],
"aliases": [
"CVE-2015-8806",
"GHSA-7hp2-xwpj-95jq"
],
"details": "Nokogiri is affected by series of vulnerabilities in libxml2 and libxslt,\nwhich are libraries Nokogiri depends on. It was discovered that libxml2 and\nlibxslt incorrectly handled certain malformed documents, which can allow\nmalicious users to cause issues ranging from denial of service to remote code\nexecution attacks.\n\nFor more information, the Ubuntu Security Notice is a good start:\nhttp://www.ubuntu.com/usn/usn-2994-1/\n",
"id": "GSD-2015-8806",
"modified": "2016-06-07T00:00:00.000Z",
"published": "2016-06-07T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/sparklemotion/nokogiri/issues/1473"
},
{
"type": "WEB",
"url": "https://github.com/sparklemotion/nokogiri/commit/03d402212707bd5dfa0a21b7de5e91a7f9d90028"
},
{
"type": "WEB",
"url": "https://mail.gnome.org/archives/xml/2016-May/msg00023.html"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/usn-2994-1/"
}
],
"related": [
"CVE-2016-1762",
"CVE-2016-1833",
"CVE-2016-1834",
"CVE-2016-1835",
"CVE-2016-1836",
"CVE-2016-1837",
"CVE-2016-1838",
"CVE-2016-1839",
"CVE-2016-1840",
"CVE-2016-2073",
"CVE-2016-3627",
"CVE-2016-3705",
"CVE-2016-4447",
"CVE-2016-4449",
"CVE-2016-4483"
],
"schema_version": "1.4.0",
"severity": [
{
"score": 7.5,
"type": "CVSS_V3"
}
],
"summary": "Denial of service or RCE from libxml2 and libxslt"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security@debian.org",
"ID": "CVE-2015-8806",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "dict.c in libxml2 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via an unexpected character immediately after the \"\u003c!DOCTYPE html\" substring in a crafted HTML document."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.gnome.org/show_bug.cgi?id=749115",
"refsource": "MISC",
"url": "https://bugzilla.gnome.org/show_bug.cgi?id=749115"
},
{
"name": "DSA-3593",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2016/dsa-3593"
},
{
"name": "USN-2994-1",
"refsource": "UBUNTU",
"url": "http://www.ubuntu.com/usn/USN-2994-1"
},
{
"name": "http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html",
"refsource": "CONFIRM",
"url": "http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html"
},
{
"name": "[oss-security] 20160203 Re: Out-of-bounds Read in the libxml2\u0027s htmlParseNameComplex() function",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/02/03/5"
},
{
"name": "GLSA-201701-37",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/201701-37"
},
{
"name": "82071",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/82071"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2015-8806",
"cvss_v3": 7.5,
"date": "2016-06-07",
"description": "Nokogiri is affected by series of vulnerabilities in libxml2 and libxslt,\nwhich are libraries Nokogiri depends on. It was discovered that libxml2 and\nlibxslt incorrectly handled certain malformed documents, which can allow\nmalicious users to cause issues ranging from denial of service to remote code\nexecution attacks.\n\nFor more information, the Ubuntu Security Notice is a good start:\nhttp://www.ubuntu.com/usn/usn-2994-1/\n",
"gem": "nokogiri",
"ghsa": "7hp2-xwpj-95jq",
"patched_versions": [
"\u003e= 1.6.8"
],
"related": {
"cve": [
"2016-1762",
"2016-1833",
"2016-1834",
"2016-1835",
"2016-1836",
"2016-1837",
"2016-1838",
"2016-1839",
"2016-1840",
"2016-2073",
"2016-3627",
"2016-3705",
"2016-4447",
"2016-4449",
"2016-4483"
],
"url": [
"https://github.com/sparklemotion/nokogiri/issues/1473",
"https://github.com/sparklemotion/nokogiri/commit/03d402212707bd5dfa0a21b7de5e91a7f9d90028",
"https://mail.gnome.org/archives/xml/2016-May/msg00023.html",
"http://www.ubuntu.com/usn/usn-2994-1/"
]
},
"title": "Denial of service or RCE from libxml2 and libxslt",
"unaffected_versions": [
"\u003c 1.6.0"
],
"url": "https://github.com/sparklemotion/nokogiri/issues/1473"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c1.6.8",
"affected_versions": "All versions before 1.6.8",
"cvss_v2": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2017-06-30",
"description": "Nokogiri is affected by series of vulnerabilities in libxml2 and libxslt, which are libraries Nokogiri depends on. It was discovered that libxml2 and libxslt incorrectly handled certain malformed documents, which can allow malicious users to cause issues ranging from denial of service to remote code execution attacks.",
"fixed_versions": [
"1.6.8"
],
"identifier": "CVE-2015-8806",
"identifiers": [
"CVE-2015-8806"
],
"not_impacted": "All versions starting from 1.6.8",
"package_slug": "gem/nokogiri",
"pubdate": "2016-04-13",
"solution": "Upgrade to version 1.6.8 or above.",
"title": "Denial of service or RCE from libxml2 and libxslt",
"urls": [
"http://www.ubuntu.com/usn/usn-2994-1/",
"https://github.com/sparklemotion/nokogiri/commit/03d402212707bd5dfa0a21b7de5e91a7f9d90028",
"https://github.com/sparklemotion/nokogiri/issues/1473",
"https://mail.gnome.org/archives/xml/2016-May/msg00023.html"
],
"uuid": "988aa1ec-2e90-4cdf-9ed5-0900f3846b70"
},
{
"affected_range": "(,2.9.4)",
"affected_versions": "All versions before 2.9.4",
"cvss_v2": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2020-09-11",
"description": "dict.c in libxml2 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via an unexpected character immediately after the \"\u003c!DOCTYPE html\" substring in a crafted HTML document.",
"fixed_versions": [],
"identifier": "CVE-2015-8806",
"identifiers": [
"CVE-2015-8806"
],
"not_impacted": "",
"package_slug": "nuget/libxml2",
"pubdate": "2016-04-13",
"solution": "Unfortunately, there is no solution available yet.",
"title": "Uncontrolled Resource Consumption",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2015-8806"
],
"uuid": "969c04b9-67ea-4a19-8e84-f161b46649fc"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:xmlsoft:libxml2:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "2.9.4",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security@debian.org",
"ID": "CVE-2015-8806"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "dict.c in libxml2 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via an unexpected character immediately after the \"\u003c!DOCTYPE html\" substring in a crafted HTML document."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.gnome.org/show_bug.cgi?id=749115",
"refsource": "MISC",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugzilla.gnome.org/show_bug.cgi?id=749115"
},
{
"name": "82071",
"refsource": "BID",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/82071"
},
{
"name": "[oss-security] 20160203 Re: Out-of-bounds Read in the libxml2\u0027s htmlParseNameComplex() function",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/02/03/5"
},
{
"name": "DSA-3593",
"refsource": "DEBIAN",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2016/dsa-3593"
},
{
"name": "USN-2994-1",
"refsource": "UBUNTU",
"tags": [
"Third Party Advisory"
],
"url": "http://www.ubuntu.com/usn/USN-2994-1"
},
{
"name": "http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html",
"refsource": "CONFIRM",
"tags": [
"Third Party Advisory"
],
"url": "http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html"
},
{
"name": "GLSA-201701-37",
"refsource": "GENTOO",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/201701-37"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": true,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6
}
},
"lastModifiedDate": "2020-09-11T15:32Z",
"publishedDate": "2016-04-13T17:59Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…