Lucene search

GitHub Advisory DatabaseGHSA-J96R-XVJQ-R9PG

HistoryOct 24, 2017 - 6:33 p.m.

activesupport vulnerable to Denial of Service via large XML document depth

2017-10-2418:33:36

GitHub Advisory Database

github.com

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.016 Low

EPSS

Percentile

87.3%

JSON

The (1) jdom.rb and (2) rexml.rb components in Active Support in Ruby on Rails before 4.1.11 and 4.2.x before 4.2.2, when JDOM or REXML is enabled, allow remote attackers to cause a denial of service (SystemStackError) via a large XML document depth.

Affected configurations

Vulners

Node

activesupport_projectactivesupportRange<4.2.2ruby

activesupport_projectactivesupportRange<4.1.11ruby

CPENameOperatorVersion
activesupportlt4.2.2
activesupportlt4.1.11

CPE	Name	Operator	Version
	activesupport	lt	4.2.2
	activesupport	lt	4.1.11

References

lists.opensuse.org/opensuse-updates/2015-07/msg00050.html

openwall.com/lists/oss-security/2015/06/16/16

www.debian.org/security/2016/dsa-3464

github.com/advisories/GHSA-j96r-xvjq-r9pg

groups.google.com/forum/message/raw?msg=rubyonrails-security/bahr2JLnxvk/x4EocXnHPp8J

nvd.nist.gov/vuln/detail/CVE-2015-3227

web.archive.org/web/20200228041703/www.securityfocus.com/bid/75234

web.archive.org/web/20200517005133/www.securitytracker.com/id/1033755

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.016 Low

EPSS

Percentile

87.3%

JSON

Related for GHSA-J96R-XVJQ-R9PG