Lucene search

[email protected]CVE-2013-1856

HistoryMar 19, 2013 - 10:55 p.m.

CVE-2013-1856

2013-03-1922:55:01

CWE-20

[email protected]

web.nvd.nist.gov

activesupport

xmlmini_jdom

ruby on rails

cve-2013-1856

xml parsing

remote attackers

denial of service

vulnerability

5.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:N/A:P

6.6 Medium

AI Score

Confidence

Low

0.013 Low

EPSS

Percentile

85.8%

JSON

The ActiveSupport::XmlMini_JDOM backend in lib/active_support/xml_mini/jdom.rb in the Active Support component in Ruby on Rails 3.0.x and 3.1.x before 3.1.12 and 3.2.x before 3.2.13, when JRuby is used, does not properly restrict the capabilities of the XML parser, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving (1) an external DTD or (2) an external entity declaration in conjunction with an entity reference.

Affected configurations

NVD

Node

rubyonrailsrailsMatch3.1.0

rubyonrailsrailsMatch3.1.0beta1

rubyonrailsrailsMatch3.1.0rc1

rubyonrailsrailsMatch3.1.0rc2

rubyonrailsrailsMatch3.1.0rc3

rubyonrailsrailsMatch3.1.0rc4

rubyonrailsrailsMatch3.1.0rc5

rubyonrailsrailsMatch3.1.0rc6

rubyonrailsrailsMatch3.1.0rc7

rubyonrailsrailsMatch3.1.0rc8

rubyonrailsrailsMatch3.1.1

rubyonrailsrailsMatch3.1.1rc1

rubyonrailsrailsMatch3.1.1rc2

rubyonrailsrailsMatch3.1.1rc3

rubyonrailsrailsMatch3.1.2

rubyonrailsrailsMatch3.1.2rc1

rubyonrailsrailsMatch3.1.2rc2

rubyonrailsrailsMatch3.1.3

rubyonrailsrailsMatch3.1.4

rubyonrailsrailsMatch3.1.4rc1

rubyonrailsrailsMatch3.1.5

rubyonrailsrailsMatch3.1.5rc1

rubyonrailsrailsMatch3.1.6

rubyonrailsrailsMatch3.1.7

rubyonrailsrailsMatch3.1.8

rubyonrailsrailsMatch3.1.9

rubyonrailsrailsMatch3.1.10

rubyonrailsrailsMatch3.2.0

rubyonrailsrailsMatch3.2.0rc1

rubyonrailsrailsMatch3.2.0rc2

rubyonrailsrailsMatch3.2.1

rubyonrailsrailsMatch3.2.2

rubyonrailsrailsMatch3.2.2rc1

rubyonrailsrailsMatch3.2.3

rubyonrailsrailsMatch3.2.3rc1

rubyonrailsrailsMatch3.2.3rc2

rubyonrailsrailsMatch3.2.4

rubyonrailsrailsMatch3.2.4rc1

rubyonrailsrailsMatch3.2.5

rubyonrailsrailsMatch3.2.6

rubyonrailsrailsMatch3.2.7

rubyonrailsrailsMatch3.2.8

rubyonrailsrailsMatch3.2.9

rubyonrailsrailsMatch3.2.10

rubyonrailsrailsMatch3.2.11

rubyonrailsrailsMatch3.2.12

rubyonrailsruby_on_railsMatch3.1.11

CPENameOperatorVersion
rubyonrails:railsrubyonrails railseq3.1.0
rubyonrails:railsrubyonrails railseq3.1.1
rubyonrails:railsrubyonrails railseq3.1.2
rubyonrails:railsrubyonrails railseq3.1.3
rubyonrails:railsrubyonrails railseq3.1.4
rubyonrails:railsrubyonrails railseq3.1.5
rubyonrails:railsrubyonrails railseq3.1.6
rubyonrails:railsrubyonrails railseq3.1.7
rubyonrails:railsrubyonrails railseq3.1.8
rubyonrails:railsrubyonrails railseq3.1.9

CPE	Name	Operator	Version
rubyonrails:rails	rubyonrails rails	eq	3.1.0
rubyonrails:rails	rubyonrails rails	eq	3.1.1
rubyonrails:rails	rubyonrails rails	eq	3.1.2
rubyonrails:rails	rubyonrails rails	eq	3.1.3
rubyonrails:rails	rubyonrails rails	eq	3.1.4
rubyonrails:rails	rubyonrails rails	eq	3.1.5
rubyonrails:rails	rubyonrails rails	eq	3.1.6
rubyonrails:rails	rubyonrails rails	eq	3.1.7
rubyonrails:rails	rubyonrails rails	eq	3.1.8
rubyonrails:rails	rubyonrails rails	eq	3.1.9