GitHub Advisory DatabaseGHSA-9C2J-593Q-3G82activesupport Improper Input Validation vulnerability
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:N/A:P
0.013 Low
EPSS
Percentile
85.6%
The ActiveSupport::XmlMini_JDOM backend in lib/active_support/xml_mini/jdom.rb in the Active Support component in Ruby on Rails 3.0.x and 3.1.x before 3.1.12 and 3.2.x before 3.2.13, when JRuby is used, does not properly restrict the capabilities of the XML parser, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving (1) an external DTD or (2) an external entity declaration in conjunction with an entity reference.
| CPE | Name | Operator | Version |
|---|---|---|---|
| activesupport | lt | 3.2.13 | |
| activesupport | lt | 3.1.12 |
References
lists.apple.com/archives/security-announce/2013/Jun/msg00000.html
lists.apple.com/archives/security-announce/2013/Oct/msg00006.html
support.apple.com/kb/HT5784
weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/
github.com/advisories/GHSA-9c2j-593q-3g82
github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2013-1856.yml
groups.google.com/group/rubyonrails-security/msg/6c2482d4ed1545e6?dmode=source&output=gplain
nvd.nist.gov/vuln/detail/CVE-2013-1856
web.archive.org/web/20130609174600/lists.apple.com/archives/security-announce/2013/Jun/msg00000.html
web.archive.org/web/20131109010518/lists.apple.com/archives/security-announce/2013/Oct/msg00006.html
Related
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:N/A:P
0.013 Low
EPSS
Percentile
85.6%