Search for vulnerabilities
Vulnerability details: VCID-h12s-4b71-ekev
Vulnerability ID VCID-h12s-4b71-ekev
Aliases CVE-2015-5312
GHSA-xjqg-9jvg-fgx2
Summary Nokogiri gem contains several vulnerabilities in libxml2 Nokogiri version 1.6.7.1 has been released, pulling in several upstream patches to the vendored libxml2 to address the following CVEs: CVE-2015-5312 CVSS v2 Base Score: 7.1 (HIGH) The xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.3 does not properly prevent entity expansion, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted XML data, a different vulnerability than CVE-2014-3660. CVE-2015-7497 CVSS v2 Base Score: 5.0 (MEDIUM) Heap-based buffer overflow in the xmlDictComputeFastQKey function in dict.c in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service via unspecified vectors. CVE-2015-7498 CVSS v2 Base Score: 5.0 (MEDIUM) Heap-based buffer overflow in the xmlParseXmlDecl function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service via unspecified vectors related to extracting errors after an encoding conversion failure. CVE-2015-7499 CVSS v2 Base Score: 5.0 (MEDIUM) Heap-based buffer overflow in the xmlGROW function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to obtain sensitive process memory information via unspecified vectors. CVE-2015-7500 CVSS v2 Base Score: 5.0 (MEDIUM) The xmlParseMisc function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service (out-of-bounds heap read) via unspecified vectors related to incorrect entities boundaries and start tags. CVE-2015-8241 CVSS v2 Base Score: 6.4 (MEDIUM) The xmlNextChar function in libxml2 2.9.2 does not properly check the state, which allows context-dependent attackers to cause a denial of service (heap-based buffer over-read and application crash) or obtain sensitive information via crafted XML data. CVE-2015-8242 CVSS v2 Base Score: 5.8 (MEDIUM) The xmlSAX2TextNode function in SAX2.c in the push interface in the HTML parser in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service (stack-based buffer over-read and application crash) or obtain sensitive information via crafted XML data. CVE-2015-8317 CVSS v2 Base Score: 5.0 (MEDIUM) The xmlParseXMLDecl function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to obtain sensitive information via an (1) unterminated encoding value or (2) incomplete XML declaration in XML data, which triggers an out-of-bounds heap read.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-400 Uncontrolled Resource Consumption
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-399 Resource Management Errors
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
generic_textual HIGH http://lists.apple.com/archives/security-announce/2016/Mar/msg00000.html
generic_textual HIGH http://lists.opensuse.org/opensuse-updates/2015-12/msg00120.html
generic_textual HIGH http://lists.opensuse.org/opensuse-updates/2016-01/msg00031.html
generic_textual HIGH http://marc.info/?l=bugtraq&m=145382616617563&w=2
generic_textual HIGH http://rhn.redhat.com/errata/RHSA-2015-2549.html
generic_textual HIGH http://rhn.redhat.com/errata/RHSA-2015-2550.html
epss 0.0352 https://api.first.org/data/v1/epss?cve=CVE-2015-5312
epss 0.0352 https://api.first.org/data/v1/epss?cve=CVE-2015-5312
epss 0.0352 https://api.first.org/data/v1/epss?cve=CVE-2015-5312
epss 0.0352 https://api.first.org/data/v1/epss?cve=CVE-2015-5312
epss 0.0352 https://api.first.org/data/v1/epss?cve=CVE-2015-5312
epss 0.0352 https://api.first.org/data/v1/epss?cve=CVE-2015-5312
epss 0.0352 https://api.first.org/data/v1/epss?cve=CVE-2015-5312
epss 0.0352 https://api.first.org/data/v1/epss?cve=CVE-2015-5312
epss 0.0352 https://api.first.org/data/v1/epss?cve=CVE-2015-5312
epss 0.0352 https://api.first.org/data/v1/epss?cve=CVE-2015-5312
epss 0.0352 https://api.first.org/data/v1/epss?cve=CVE-2015-5312
epss 0.0352 https://api.first.org/data/v1/epss?cve=CVE-2015-5312
epss 0.0352 https://api.first.org/data/v1/epss?cve=CVE-2015-5312
generic_textual HIGH https://bugzilla.redhat.com/show_bug.cgi?id=1276693
generic_textual HIGH https://git.gnome.org/browse/libxml2/commit/?id=69030714cde66d525a8884bda01b9e8f0abf8e1e
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-xjqg-9jvg-fgx2
generic_textual HIGH https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2015-5312.yml
generic_textual HIGH https://groups.google.com/forum/#!topic/ruby-security-ann/aSbgDiwb24s
generic_textual HIGH https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04944172
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2015-5312
generic_textual HIGH https://security.gentoo.org/glsa/201701-37
generic_textual HIGH https://support.apple.com/HT206166
generic_textual HIGH https://support.apple.com/HT206167
generic_textual HIGH https://support.apple.com/HT206168
generic_textual HIGH https://support.apple.com/HT206169
generic_textual HIGH http://www.debian.org/security/2015/dsa-3430
generic_textual HIGH http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html
generic_textual HIGH http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
generic_textual HIGH http://www.ubuntu.com/usn/USN-2834-1
generic_textual HIGH http://xmlsoft.org/news.html
Reference id Reference type URL
http://lists.apple.com/archives/security-announce/2016/Mar/msg00000.html
http://lists.opensuse.org/opensuse-updates/2015-12/msg00120.html
http://lists.opensuse.org/opensuse-updates/2016-01/msg00031.html
http://marc.info/?l=bugtraq&m=145382616617563&w=2
http://rhn.redhat.com/errata/RHSA-2015-2549.html
http://rhn.redhat.com/errata/RHSA-2015-2550.html
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-5312.json
https://api.first.org/data/v1/epss?cve=CVE-2015-5312
https://bugzilla.redhat.com/show_bug.cgi?id=1276693
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1819
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5312
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7497
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7498
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7499
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7500
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7941
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7942
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8035
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8241
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8317
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8710
https://git.gnome.org/browse/libxml2/commit/?id=69030714cde66d525a8884bda01b9e8f0abf8e1e
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2015-5312.yml
https://github.com/sparklemotion/nokogiri/commit/4205af1a2a546f79d1b48df2ad8b27299c0099c5
https://github.com/sparklemotion/nokogiri/pull/1378
https://groups.google.com/forum/#!topic/ruby-security-ann/aSbgDiwb24s
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04944172
https://nvd.nist.gov/vuln/detail/CVE-2015-5312
https://security.gentoo.org/glsa/201701-37
https://support.apple.com/HT206166
https://support.apple.com/HT206167
https://support.apple.com/HT206168
https://support.apple.com/HT206169
http://www.debian.org/security/2015/dsa-3430
http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
http://www.ubuntu.com/usn/USN-2834-1
http://xmlsoft.org/news.html
GHSA-xjqg-9jvg-fgx2 https://github.com/advisories/GHSA-xjqg-9jvg-fgx2
RHSA-2015:2549 https://access.redhat.com/errata/RHSA-2015:2549
RHSA-2015:2550 https://access.redhat.com/errata/RHSA-2015:2550
RHSA-2016:1089 https://access.redhat.com/errata/RHSA-2016:1089
USN-2834-1 https://usn.ubuntu.com/2834-1/
No exploits are available.
Exploit Prediction Scoring System (EPSS)
Percentile 0.87196
EPSS Score 0.0352
Published At Aug. 17, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T08:04:56.342384+00:00 Ruby Importer Import https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2015-5312.yml 37.0.0