Search for vulnerabilities
Vulnerability details: VCID-qcfr-u9jt-1fex
Vulnerability ID VCID-qcfr-u9jt-1fex
Aliases CVE-2017-16932
GHSA-x2fm-93ww-ggvx
Summary Nokogiri gem, via libxml, is affected by DoS vulnerabilities The version of libxml2 packaged with Nokogiri contains a vulnerability. Nokogiri has mitigated these issue by upgrading to libxml 2.9.5. Wei Lei discovered that libxml2 incorrecty handled certain parameter entities. An attacker could use this issue with specially constructed XML data to cause libxml2 to consume resources, leading to a denial of service.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
System Score Found at
cvssv3 7.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-16932.json
epss 0.01584 https://api.first.org/data/v1/epss?cve=CVE-2017-16932
epss 0.01584 https://api.first.org/data/v1/epss?cve=CVE-2017-16932
epss 0.01584 https://api.first.org/data/v1/epss?cve=CVE-2017-16932
epss 0.08852 https://api.first.org/data/v1/epss?cve=CVE-2017-16932
epss 0.08852 https://api.first.org/data/v1/epss?cve=CVE-2017-16932
epss 0.08852 https://api.first.org/data/v1/epss?cve=CVE-2017-16932
epss 0.08852 https://api.first.org/data/v1/epss?cve=CVE-2017-16932
epss 0.08852 https://api.first.org/data/v1/epss?cve=CVE-2017-16932
epss 0.08852 https://api.first.org/data/v1/epss?cve=CVE-2017-16932
epss 0.08852 https://api.first.org/data/v1/epss?cve=CVE-2017-16932
epss 0.08852 https://api.first.org/data/v1/epss?cve=CVE-2017-16932
epss 0.08852 https://api.first.org/data/v1/epss?cve=CVE-2017-16932
epss 0.08852 https://api.first.org/data/v1/epss?cve=CVE-2017-16932
epss 0.08852 https://api.first.org/data/v1/epss?cve=CVE-2017-16932
epss 0.08852 https://api.first.org/data/v1/epss?cve=CVE-2017-16932
epss 0.09071 https://api.first.org/data/v1/epss?cve=CVE-2017-16932
cvssv3.1 7.5 https://blog.clamav.net/2018/07/clamav-01001-has-been-released.html
generic_textual HIGH https://blog.clamav.net/2018/07/clamav-01001-has-been-released.html
cvssv3.1 7.5 https://bugzilla.gnome.org/show_bug.cgi?id=759579
generic_textual HIGH https://bugzilla.gnome.org/show_bug.cgi?id=759579
cvssv3 7.5 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-x2fm-93ww-ggvx
cvssv3.1 7.5 https://github.com/GNOME/libxml2/commit/899a5d9f0ed13b8e32449a08a361e0de127dd961
generic_textual HIGH https://github.com/GNOME/libxml2/commit/899a5d9f0ed13b8e32449a08a361e0de127dd961
cvssv3.1 7.5 https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2017-16932.yml
generic_textual HIGH https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2017-16932.yml
cvssv3 7.5 https://github.com/sparklemotion/nokogiri/issues/1714
cvssv3.1 7.5 https://github.com/sparklemotion/nokogiri/issues/1714
generic_textual HIGH https://github.com/sparklemotion/nokogiri/issues/1714
cvssv3.1 7.5 https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E
generic_textual HIGH https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E
cvssv3.1 7.5 https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E
generic_textual HIGH https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E
cvssv3.1 7.5 https://lists.debian.org/debian-lts-announce/2017/11/msg00041.html
generic_textual HIGH https://lists.debian.org/debian-lts-announce/2017/11/msg00041.html
cvssv3.1 7.5 https://lists.debian.org/debian-lts-announce/2022/04/msg00004.html
generic_textual HIGH https://lists.debian.org/debian-lts-announce/2022/04/msg00004.html
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2017-16932
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2017-16932
cvssv3.1 7.5 https://usn.ubuntu.com/3739-1
generic_textual HIGH https://usn.ubuntu.com/3739-1
cvssv3.1 7.5 http://xmlsoft.org/news.html
generic_textual HIGH http://xmlsoft.org/news.html
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-16932.json
https://api.first.org/data/v1/epss?cve=CVE-2017-16932
https://blog.clamav.net/2018/07/clamav-01001-has-been-released.html
https://bugzilla.gnome.org/show_bug.cgi?id=759579
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16932
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/GNOME/libxml2/commit/899a5d9f0ed13b8e32449a08a361e0de127dd961
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2017-16932.yml
https://github.com/sparklemotion/nokogiri/issues/1714
https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E
https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E
https://lists.debian.org/debian-lts-announce/2017/11/msg00041.html
https://lists.debian.org/debian-lts-announce/2022/04/msg00004.html
https://nvd.nist.gov/vuln/detail/CVE-2017-16932
https://usn.ubuntu.com/3739-1
https://usn.ubuntu.com/usn/usn-3504-1/
http://xmlsoft.org/news.html
1517316 https://bugzilla.redhat.com/show_bug.cgi?id=1517316
882613 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882613
CVE-2017-16932.HTML https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-16932.html
GHSA-x2fm-93ww-ggvx https://github.com/advisories/GHSA-x2fm-93ww-ggvx
USN-3504-1 https://usn.ubuntu.com/3504-1/
USN-3504-2 https://usn.ubuntu.com/3504-2/
USN-3739-1 https://usn.ubuntu.com/3739-1/
No exploits are available.
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-16932.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://blog.clamav.net/2018/07/clamav-01001-has-been-released.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://bugzilla.gnome.org/show_bug.cgi?id=759579
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/GNOME/libxml2/commit/899a5d9f0ed13b8e32449a08a361e0de127dd961
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2017-16932.yml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/sparklemotion/nokogiri/issues/1714
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://lists.debian.org/debian-lts-announce/2017/11/msg00041.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://lists.debian.org/debian-lts-announce/2022/04/msg00004.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2017-16932
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://usn.ubuntu.com/3739-1
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at http://xmlsoft.org/news.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.80938
EPSS Score 0.01584
Published At Aug. 1, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T08:04:56.503982+00:00 Ruby Importer Import https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2017-16932.yml 37.0.0