{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"important"},"category":"csaf_vex","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"SUSE CVE-2021-41098","title":"Title"},{"category":"description","text":"Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default. Users of Nokogiri on JRuby who parse untrusted documents using any of these classes are affected: Nokogiri::XML::SAX::Parse, Nokogiri::HTML4::SAX::Parser or its alias Nokogiri::HTML::SAX::Parser, Nokogiri::XML::SAX::PushParser, and Nokogiri::HTML4::SAX::PushParser or its alias Nokogiri::HTML::SAX::PushParser. JRuby users should upgrade to Nokogiri v1.12.5 or later to receive a patch for this issue. There are no workarounds available for v1.12.4 or earlier. CRuby users are not affected.","title":"Description of the CVE"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"CVE-2021-41098","url":"https://www.suse.com/security/cve/CVE-2021-41098"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1191029 for CVE-2021-41098","url":"https://bugzilla.suse.com/1191029"},{"category":"external","summary":"Advisory link for openSUSE-SU-2025:14697-1","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/U5YNW74OL2W7SH2XTAVN5TODNFIVFL3Y/"}],"title":"SUSE CVE CVE-2021-41098","tracking":{"current_release_date":"2026-03-15T10:06:06Z","generator":{"date":"2023-02-15T03:37:46Z","engine":{"name":"cve-database.git:bin/generate-csaf-vex.pl","version":"1"}},"id":"CVE-2021-41098","initial_release_date":"2023-02-15T03:37:46Z","revision_history":[{"date":"2023-02-15T03:37:46Z","number":"2","summary":"Current version"},{"date":"2024-07-13T03:22:57Z","number":"3","summary":"Current version"},{"date":"2025-01-01T04:12:22Z","number":"4","summary":"Current version"},{"date":"2025-01-26T04:10:59Z","number":"5","summary":"Current version"},{"date":"2025-01-27T03:59:32Z","number":"6","summary":"Current version"},{"date":"2025-02-15T04:47:10Z","number":"7","summary":"Current version"},{"date":"2025-02-17T05:09:38Z","number":"8","summary":"Current version"},{"date":"2025-03-15T08:40:50Z","number":"9","summary":"Current version"},{"date":"2025-04-25T04:30:47Z","number":"10","summary":"Current version"},{"date":"2026-03-15T10:06:06Z","number":"11","summary":"more updates released"}],"status":"interim","version":"11"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_name","name":"SUSE Linux Enterprise High Availability Extension 15","product":{"name":"SUSE Linux Enterprise High Availability Extension 15","product_id":"SUSE Linux Enterprise High Availability Extension 15","product_identification_helper":{"cpe":"cpe:/o:suse:sle-ha:15"}}},{"category":"product_name","name":"SUSE Linux Enterprise High Availability Extension 15 SP1","product":{"name":"SUSE Linux Enterprise High Availability Extension 15 SP1","product_id":"SUSE Linux Enterprise High Availability Extension 15 SP1","product_identification_helper":{"cpe":"cpe:/o:suse:sle-ha:15:sp1"}}},{"category":"product_name","name":"SUSE Linux Enterprise High Availability Extension 15 SP2","product":{"name":"SUSE Linux Enterprise High Availability Extension 15 SP2","product_id":"SUSE Linux Enterprise High Availability Extension 15 SP2","product_identification_helper":{"cpe":"cpe:/o:suse:sle-ha:15:sp2"}}},{"category":"product_name","name":"SUSE OpenStack Cloud Crowbar 8","product":{"name":"SUSE OpenStack Cloud Crowbar 8","product_id":"SUSE OpenStack Cloud Crowbar 8","product_identification_helper":{"cpe":"cpe:/o:suse:suse-openstack-cloud-crowbar:8"}}},{"category":"product_name","name":"SUSE OpenStack Cloud Crowbar 9","product":{"name":"SUSE OpenStack Cloud Crowbar 9","product_id":"SUSE OpenStack Cloud Crowbar 9","product_identification_helper":{"cpe":"cpe:/o:suse:suse-openstack-cloud-crowbar:9"}}},{"category":"product_name","name":"openSUSE Tumbleweed","product":{"name":"openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed","product_identification_helper":{"cpe":"cpe:/o:opensuse:tumbleweed"}}},{"category":"product_version","name":"ruby2.1-rubygem-nokogiri","product":{"name":"ruby2.1-rubygem-nokogiri","product_id":"ruby2.1-rubygem-nokogiri","product_identification_helper":{"cpe":"cpe:2.3:a:nokogiri:nokogiri:*:*:*:*:*:ruby:*:*","purl":"pkg:rpm/suse/ruby2.1-rubygem-nokogiri@?upstream=rubygem-nokogiri.src.rpm"}}},{"category":"product_version","name":"ruby2.5-rubygem-nokogiri","product":{"name":"ruby2.5-rubygem-nokogiri","product_id":"ruby2.5-rubygem-nokogiri","product_identification_helper":{"cpe":"cpe:2.3:a:nokogiri:nokogiri:*:*:*:*:*:ruby:*:*","purl":"pkg:rpm/suse/ruby2.5-rubygem-nokogiri@?upstream=rubygem-nokogiri.src.rpm"}}},{"category":"product_version","name":"ruby2.7-rubygem-nokogiri-1.12.5-1.1","product":{"name":"ruby2.7-rubygem-nokogiri-1.12.5-1.1","product_id":"ruby2.7-rubygem-nokogiri-1.12.5-1.1","product_identification_helper":{"cpe":"cpe:2.3:a:nokogiri:nokogiri:1.12.5:*:*:*:*:ruby:*:*","purl":"pkg:rpm/suse/ruby2.7-rubygem-nokogiri@1.12.5-1.1"}}},{"category":"product_version","name":"ruby3.0-rubygem-nokogiri-1.12.5-1.1","product":{"name":"ruby3.0-rubygem-nokogiri-1.12.5-1.1","product_id":"ruby3.0-rubygem-nokogiri-1.12.5-1.1","product_identification_helper":{"cpe":"cpe:2.3:a:nokogiri:nokogiri:1.12.5:*:*:*:*:ruby:*:*","purl":"pkg:rpm/suse/ruby3.0-rubygem-nokogiri@1.12.5-1.1"}}},{"category":"product_version","name":"ruby3.1-rubygem-nokogiri-1.13.3-1.1","product":{"name":"ruby3.1-rubygem-nokogiri-1.13.3-1.1","product_id":"ruby3.1-rubygem-nokogiri-1.13.3-1.1","product_identification_helper":{"cpe":"cpe:2.3:a:nokogiri:nokogiri:1.13.3:*:*:*:*:ruby:*:*","purl":"pkg:rpm/suse/ruby3.1-rubygem-nokogiri@1.13.3-1.1"}}},{"category":"product_version","name":"ruby3.2-rubygem-nokogiri-1.13.9-1.7","product":{"name":"ruby3.2-rubygem-nokogiri-1.13.9-1.7","product_id":"ruby3.2-rubygem-nokogiri-1.13.9-1.7","product_identification_helper":{"purl":"pkg:rpm/suse/ruby3.2-rubygem-nokogiri@1.13.9-1.7"}}},{"category":"product_version","name":"ruby3.3-rubygem-nokogiri-1.15.5-1.5","product":{"name":"ruby3.3-rubygem-nokogiri-1.15.5-1.5","product_id":"ruby3.3-rubygem-nokogiri-1.15.5-1.5","product_identification_helper":{"purl":"pkg:rpm/suse/ruby3.3-rubygem-nokogiri@1.15.5-1.5"}}},{"category":"product_version","name":"ruby3.4-rubygem-nokogiri-1.18.2-1.1","product":{"name":"ruby3.4-rubygem-nokogiri-1.18.2-1.1","product_id":"ruby3.4-rubygem-nokogiri-1.18.2-1.1","product_identification_helper":{"purl":"pkg:rpm/suse/ruby3.4-rubygem-nokogiri@1.18.2-1.1"}}},{"category":"product_version","name":"ruby4.0-rubygem-nokogiri-1.18.9-1.4","product":{"name":"ruby4.0-rubygem-nokogiri-1.18.9-1.4","product_id":"ruby4.0-rubygem-nokogiri-1.18.9-1.4","product_identification_helper":{"purl":"pkg:rpm/suse/ruby4.0-rubygem-nokogiri@1.18.9-1.4"}}},{"category":"product_version","name":"rubygem-nokogiri","product":{"name":"rubygem-nokogiri","product_id":"rubygem-nokogiri","product_identification_helper":{"cpe":"cpe:2.3:a:nokogiri:nokogiri:*:*:*:*:*:ruby:*:*","purl":"pkg:rpm/suse/rubygem-nokogiri@?upstream=rubygem-nokogiri.src.rpm"}}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"ruby2.7-rubygem-nokogiri-1.12.5-1.1 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:ruby2.7-rubygem-nokogiri-1.12.5-1.1"},"product_reference":"ruby2.7-rubygem-nokogiri-1.12.5-1.1","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"ruby3.0-rubygem-nokogiri-1.12.5-1.1 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:ruby3.0-rubygem-nokogiri-1.12.5-1.1"},"product_reference":"ruby3.0-rubygem-nokogiri-1.12.5-1.1","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"ruby3.1-rubygem-nokogiri-1.13.3-1.1 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:ruby3.1-rubygem-nokogiri-1.13.3-1.1"},"product_reference":"ruby3.1-rubygem-nokogiri-1.13.3-1.1","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"ruby3.2-rubygem-nokogiri-1.13.9-1.7 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:ruby3.2-rubygem-nokogiri-1.13.9-1.7"},"product_reference":"ruby3.2-rubygem-nokogiri-1.13.9-1.7","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"ruby3.3-rubygem-nokogiri-1.15.5-1.5 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:ruby3.3-rubygem-nokogiri-1.15.5-1.5"},"product_reference":"ruby3.3-rubygem-nokogiri-1.15.5-1.5","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"ruby3.4-rubygem-nokogiri-1.18.2-1.1 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:ruby3.4-rubygem-nokogiri-1.18.2-1.1"},"product_reference":"ruby3.4-rubygem-nokogiri-1.18.2-1.1","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"ruby4.0-rubygem-nokogiri-1.18.9-1.4 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:ruby4.0-rubygem-nokogiri-1.18.9-1.4"},"product_reference":"ruby4.0-rubygem-nokogiri-1.18.9-1.4","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"ruby2.5-rubygem-nokogiri as component of SUSE Linux Enterprise High Availability Extension 15","product_id":"SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-nokogiri"},"product_reference":"ruby2.5-rubygem-nokogiri","relates_to_product_reference":"SUSE Linux Enterprise High Availability Extension 15"},{"category":"default_component_of","full_product_name":{"name":"rubygem-nokogiri as component of SUSE Linux Enterprise High Availability Extension 15","product_id":"SUSE Linux Enterprise High Availability Extension 15:rubygem-nokogiri"},"product_reference":"rubygem-nokogiri","relates_to_product_reference":"SUSE Linux Enterprise High Availability Extension 15"},{"category":"default_component_of","full_product_name":{"name":"ruby2.5-rubygem-nokogiri as component of SUSE Linux Enterprise High Availability Extension 15 SP1","product_id":"SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-nokogiri"},"product_reference":"ruby2.5-rubygem-nokogiri","relates_to_product_reference":"SUSE Linux Enterprise High Availability Extension 15 SP1"},{"category":"default_component_of","full_product_name":{"name":"rubygem-nokogiri as component of SUSE Linux Enterprise High Availability Extension 15 SP1","product_id":"SUSE Linux Enterprise High Availability Extension 15 SP1:rubygem-nokogiri"},"product_reference":"rubygem-nokogiri","relates_to_product_reference":"SUSE Linux Enterprise High Availability Extension 15 SP1"},{"category":"default_component_of","full_product_name":{"name":"ruby2.5-rubygem-nokogiri as component of SUSE Linux Enterprise High Availability Extension 15 SP2","product_id":"SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-nokogiri"},"product_reference":"ruby2.5-rubygem-nokogiri","relates_to_product_reference":"SUSE Linux Enterprise High Availability Extension 15 SP2"},{"category":"default_component_of","full_product_name":{"name":"rubygem-nokogiri as component of SUSE Linux Enterprise High Availability Extension 15 SP2","product_id":"SUSE Linux Enterprise High Availability Extension 15 SP2:rubygem-nokogiri"},"product_reference":"rubygem-nokogiri","relates_to_product_reference":"SUSE Linux Enterprise High Availability Extension 15 SP2"},{"category":"default_component_of","full_product_name":{"name":"ruby2.1-rubygem-nokogiri as component of SUSE OpenStack Cloud Crowbar 8","product_id":"SUSE OpenStack Cloud Crowbar 8:ruby2.1-rubygem-nokogiri"},"product_reference":"ruby2.1-rubygem-nokogiri","relates_to_product_reference":"SUSE OpenStack Cloud Crowbar 8"},{"category":"default_component_of","full_product_name":{"name":"rubygem-nokogiri as component of SUSE OpenStack Cloud Crowbar 8","product_id":"SUSE OpenStack Cloud Crowbar 8:rubygem-nokogiri"},"product_reference":"rubygem-nokogiri","relates_to_product_reference":"SUSE OpenStack Cloud Crowbar 8"},{"category":"default_component_of","full_product_name":{"name":"ruby2.1-rubygem-nokogiri as component of SUSE OpenStack Cloud Crowbar 9","product_id":"SUSE OpenStack Cloud Crowbar 9:ruby2.1-rubygem-nokogiri"},"product_reference":"ruby2.1-rubygem-nokogiri","relates_to_product_reference":"SUSE OpenStack Cloud Crowbar 9"},{"category":"default_component_of","full_product_name":{"name":"rubygem-nokogiri as component of SUSE OpenStack Cloud Crowbar 9","product_id":"SUSE OpenStack Cloud Crowbar 9:rubygem-nokogiri"},"product_reference":"rubygem-nokogiri","relates_to_product_reference":"SUSE OpenStack Cloud Crowbar 9"}]},"vulnerabilities":[{"cve":"CVE-2021-41098","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2021-41098"}],"notes":[{"category":"general","text":"Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default. Users of Nokogiri on JRuby who parse untrusted documents using any of these classes are affected: Nokogiri::XML::SAX::Parse, Nokogiri::HTML4::SAX::Parser or its alias Nokogiri::HTML::SAX::Parser, Nokogiri::XML::SAX::PushParser, and Nokogiri::HTML4::SAX::PushParser or its alias Nokogiri::HTML::SAX::PushParser. JRuby users should upgrade to Nokogiri v1.12.5 or later to receive a patch for this issue. There are no workarounds available for v1.12.4 or earlier. CRuby users are not affected.","title":"CVE description"}],"product_status":{"known_not_affected":["SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-nokogiri","SUSE Linux Enterprise High Availability Extension 15 SP1:rubygem-nokogiri","SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-nokogiri","SUSE Linux Enterprise High Availability Extension 15 SP2:rubygem-nokogiri","SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-nokogiri","SUSE Linux Enterprise High Availability Extension 15:rubygem-nokogiri","SUSE OpenStack Cloud Crowbar 8:ruby2.1-rubygem-nokogiri","SUSE OpenStack Cloud Crowbar 8:rubygem-nokogiri","SUSE OpenStack Cloud Crowbar 9:ruby2.1-rubygem-nokogiri","SUSE OpenStack Cloud Crowbar 9:rubygem-nokogiri"],"recommended":["openSUSE Tumbleweed:ruby2.7-rubygem-nokogiri-1.12.5-1.1","openSUSE Tumbleweed:ruby3.0-rubygem-nokogiri-1.12.5-1.1","openSUSE Tumbleweed:ruby3.1-rubygem-nokogiri-1.13.3-1.1","openSUSE Tumbleweed:ruby3.2-rubygem-nokogiri-1.13.9-1.7","openSUSE Tumbleweed:ruby3.3-rubygem-nokogiri-1.15.5-1.5","openSUSE Tumbleweed:ruby3.4-rubygem-nokogiri-1.18.2-1.1","openSUSE Tumbleweed:ruby4.0-rubygem-nokogiri-1.18.9-1.4"]},"references":[{"category":"external","summary":"CVE-2021-41098","url":"https://www.suse.com/security/cve/CVE-2021-41098"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1191029 for CVE-2021-41098","url":"https://bugzilla.suse.com/1191029"},{"category":"external","summary":"Advisory link for openSUSE-SU-2025:14697-1","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/U5YNW74OL2W7SH2XTAVN5TODNFIVFL3Y/"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["openSUSE Tumbleweed:ruby2.7-rubygem-nokogiri-1.12.5-1.1","openSUSE Tumbleweed:ruby3.0-rubygem-nokogiri-1.12.5-1.1","openSUSE Tumbleweed:ruby3.1-rubygem-nokogiri-1.13.3-1.1","openSUSE Tumbleweed:ruby3.2-rubygem-nokogiri-1.13.9-1.7","openSUSE Tumbleweed:ruby3.3-rubygem-nokogiri-1.15.5-1.5","openSUSE Tumbleweed:ruby3.4-rubygem-nokogiri-1.18.2-1.1","openSUSE Tumbleweed:ruby4.0-rubygem-nokogiri-1.18.9-1.4"]}],"scores":[{"cvss_v3":{"baseScore":7.5,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","version":"3.1"},"products":["openSUSE Tumbleweed:ruby2.7-rubygem-nokogiri-1.12.5-1.1","openSUSE Tumbleweed:ruby3.0-rubygem-nokogiri-1.12.5-1.1","openSUSE Tumbleweed:ruby3.1-rubygem-nokogiri-1.13.3-1.1","openSUSE Tumbleweed:ruby3.2-rubygem-nokogiri-1.13.9-1.7","openSUSE Tumbleweed:ruby3.3-rubygem-nokogiri-1.15.5-1.5","openSUSE Tumbleweed:ruby3.4-rubygem-nokogiri-1.18.2-1.1","openSUSE Tumbleweed:ruby4.0-rubygem-nokogiri-1.18.9-1.4"]}],"threats":[{"category":"impact","date":"2021-09-28T02:00:08Z","details":"important"}],"title":"CVE-2021-41098"}]}