CVE-2020-26247

Name of the Vulnerable Software and Affected Versions Nokogiri versions prior to 1.11.0.rc4 Nokogiri versions 1.10.10 and earlier Nokogiri prereleases 1.11.0.rc1, 1.11.0.rc2, and 1.11.0.rc3

Description The issue is related to the incorrect restriction of XML links to external objects, allowing external resources to be accessed over the network. This could potentially enable XXE or SSRF attacks. The behavior of trusting XML Schemas parsed by Nokogiri::XML::Schema by default is counter to the security policy of treating all input as untrusted by default.

Recommendations For Nokogiri versions prior to 1.11.0.rc4, upgrade to Nokogiri version 1.11.0.rc4 or later. If you wish to re-enable network access for resolution of external resources after upgrading, ensure the input is trusted and pass an instance of Nokogiri::XML::ParseOptions with the NONET flag turned off when invoking the Nokogiri::XML::Schema constructor. As a temporary workaround, consider restricting access to external resources until the issue is resolved.