VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-h12s-4b71-ekev

Essentials
Severities (46)
References (43)
Severity details (23)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-h12s-4b71-ekev
Aliases	CVE-2015-5312 GHSA-xjqg-9jvg-fgx2
Summary	Nokogiri gem contains several vulnerabilities in libxml2 Nokogiri version 1.6.7.1 has been released, pulling in several upstream patches to the vendored libxml2 to address the following CVEs: CVE-2015-5312 CVSS v2 Base Score: 7.1 (HIGH) The xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.3 does not properly prevent entity expansion, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted XML data, a different vulnerability than CVE-2014-3660. CVE-2015-7497 CVSS v2 Base Score: 5.0 (MEDIUM) Heap-based buffer overflow in the xmlDictComputeFastQKey function in dict.c in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service via unspecified vectors. CVE-2015-7498 CVSS v2 Base Score: 5.0 (MEDIUM) Heap-based buffer overflow in the xmlParseXmlDecl function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service via unspecified vectors related to extracting errors after an encoding conversion failure. CVE-2015-7499 CVSS v2 Base Score: 5.0 (MEDIUM) Heap-based buffer overflow in the xmlGROW function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to obtain sensitive process memory information via unspecified vectors. CVE-2015-7500 CVSS v2 Base Score: 5.0 (MEDIUM) The xmlParseMisc function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service (out-of-bounds heap read) via unspecified vectors related to incorrect entities boundaries and start tags. CVE-2015-8241 CVSS v2 Base Score: 6.4 (MEDIUM) The xmlNextChar function in libxml2 2.9.2 does not properly check the state, which allows context-dependent attackers to cause a denial of service (heap-based buffer over-read and application crash) or obtain sensitive information via crafted XML data. CVE-2015-8242 CVSS v2 Base Score: 5.8 (MEDIUM) The xmlSAX2TextNode function in SAX2.c in the push interface in the HTML parser in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service (stack-based buffer over-read and application crash) or obtain sensitive information via crafted XML data. CVE-2015-8317 CVSS v2 Base Score: 5.0 (MEDIUM) The xmlParseXMLDecl function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to obtain sensitive information via an (1) unterminated encoding value or (2) incomplete XML declaration in XML data, which triggers an out-of-bounds heap read.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-400	Uncontrolled Resource Consumption
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-399	Resource Management Errors
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
generic_textual	HIGH	http://lists.apple.com/archives/security-announce/2016/Mar/msg00000.html
generic_textual	HIGH	http://lists.opensuse.org/opensuse-updates/2015-12/msg00120.html
generic_textual	HIGH	http://lists.opensuse.org/opensuse-updates/2016-01/msg00031.html
generic_textual	HIGH	http://marc.info/?l=bugtraq&m=145382616617563&w=2
generic_textual	HIGH	http://rhn.redhat.com/errata/RHSA-2015-2549.html
generic_textual	HIGH	http://rhn.redhat.com/errata/RHSA-2015-2550.html
epss	0.01993	https://api.first.org/data/v1/epss?cve=CVE-2015-5312
epss	0.01993	https://api.first.org/data/v1/epss?cve=CVE-2015-5312
epss	0.01993	https://api.first.org/data/v1/epss?cve=CVE-2015-5312
epss	0.01993	https://api.first.org/data/v1/epss?cve=CVE-2015-5312
epss	0.01993	https://api.first.org/data/v1/epss?cve=CVE-2015-5312
epss	0.01993	https://api.first.org/data/v1/epss?cve=CVE-2015-5312
epss	0.01993	https://api.first.org/data/v1/epss?cve=CVE-2015-5312
epss	0.01993	https://api.first.org/data/v1/epss?cve=CVE-2015-5312
epss	0.01993	https://api.first.org/data/v1/epss?cve=CVE-2015-5312
epss	0.01993	https://api.first.org/data/v1/epss?cve=CVE-2015-5312
epss	0.0352	https://api.first.org/data/v1/epss?cve=CVE-2015-5312
epss	0.0352	https://api.first.org/data/v1/epss?cve=CVE-2015-5312
epss	0.0352	https://api.first.org/data/v1/epss?cve=CVE-2015-5312
epss	0.0352	https://api.first.org/data/v1/epss?cve=CVE-2015-5312
epss	0.0352	https://api.first.org/data/v1/epss?cve=CVE-2015-5312
epss	0.0352	https://api.first.org/data/v1/epss?cve=CVE-2015-5312
epss	0.0352	https://api.first.org/data/v1/epss?cve=CVE-2015-5312
epss	0.0352	https://api.first.org/data/v1/epss?cve=CVE-2015-5312
epss	0.0352	https://api.first.org/data/v1/epss?cve=CVE-2015-5312
epss	0.0352	https://api.first.org/data/v1/epss?cve=CVE-2015-5312
epss	0.0352	https://api.first.org/data/v1/epss?cve=CVE-2015-5312
epss	0.0352	https://api.first.org/data/v1/epss?cve=CVE-2015-5312
epss	0.0352	https://api.first.org/data/v1/epss?cve=CVE-2015-5312
generic_textual	HIGH	https://bugzilla.redhat.com/show_bug.cgi?id=1276693
generic_textual	HIGH	https://git.gnome.org/browse/libxml2/commit/?id=69030714cde66d525a8884bda01b9e8f0abf8e1e
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-xjqg-9jvg-fgx2
generic_textual	HIGH	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2015-5312.yml
generic_textual	HIGH	https://groups.google.com/forum/#!topic/ruby-security-ann/aSbgDiwb24s
generic_textual	HIGH	https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04944172
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2015-5312
generic_textual	HIGH	https://security.gentoo.org/glsa/201701-37
generic_textual	HIGH	https://support.apple.com/HT206166
generic_textual	HIGH	https://support.apple.com/HT206167
generic_textual	HIGH	https://support.apple.com/HT206168
generic_textual	HIGH	https://support.apple.com/HT206169
generic_textual	HIGH	http://www.debian.org/security/2015/dsa-3430
generic_textual	HIGH	http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html
generic_textual	HIGH	http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
generic_textual	HIGH	http://www.ubuntu.com/usn/USN-2834-1
generic_textual	HIGH	http://xmlsoft.org/news.html

Reference id	Reference type	URL
		http://lists.apple.com/archives/security-announce/2016/Mar/msg00000.html
		http://lists.opensuse.org/opensuse-updates/2015-12/msg00120.html
		http://lists.opensuse.org/opensuse-updates/2016-01/msg00031.html
		http://marc.info/?l=bugtraq&m=145382616617563&w=2
		http://rhn.redhat.com/errata/RHSA-2015-2549.html
		http://rhn.redhat.com/errata/RHSA-2015-2550.html
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-5312.json
		https://api.first.org/data/v1/epss?cve=CVE-2015-5312
		https://bugzilla.redhat.com/show_bug.cgi?id=1276693
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1819
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5312
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7497
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7498
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7499
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7500
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7941
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7942
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8035
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8241
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8317
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8710
		https://git.gnome.org/browse/libxml2/commit/?id=69030714cde66d525a8884bda01b9e8f0abf8e1e
		https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2015-5312.yml
		https://github.com/sparklemotion/nokogiri/commit/4205af1a2a546f79d1b48df2ad8b27299c0099c5
		https://github.com/sparklemotion/nokogiri/pull/1378
		https://groups.google.com/forum/#!topic/ruby-security-ann/aSbgDiwb24s
		https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04944172
		https://nvd.nist.gov/vuln/detail/CVE-2015-5312
		https://security.gentoo.org/glsa/201701-37
		https://support.apple.com/HT206166
		https://support.apple.com/HT206167
		https://support.apple.com/HT206168
		https://support.apple.com/HT206169
		http://www.debian.org/security/2015/dsa-3430
		http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html
		http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
		http://www.ubuntu.com/usn/USN-2834-1
		http://xmlsoft.org/news.html
GHSA-xjqg-9jvg-fgx2		https://github.com/advisories/GHSA-xjqg-9jvg-fgx2
RHSA-2015:2549		https://access.redhat.com/errata/RHSA-2015:2549
RHSA-2015:2550		https://access.redhat.com/errata/RHSA-2015:2550
RHSA-2016:1089		https://access.redhat.com/errata/RHSA-2016:1089
USN-2834-1		https://usn.ubuntu.com/2834-1/

No exploits are available.

Exploit Prediction Scoring System (EPSS)

Percentile	0.82915
EPSS Score	0.01993
Published At	Sept. 9, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2025-07-31T08:04:56.342384+00:00	Ruby Importer	Import	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2015-5312.yml	37.0.0