5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:N/A:P
0.013 Low
EPSS
Percentile
85.6%
The ActiveSupport::XmlMini_JDOM
backend in lib/active_support/xml_mini/jdom.rb
in the Active Support component in Ruby on Rails 3.0.x and 3.1.x before 3.1.12 and 3.2.x before 3.2.13, when JRuby is used, does not properly restrict the capabilities of the XML parser, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving (1) an external DTD or (2) an external entity declaration in conjunction with an entity reference.
CPE | Name | Operator | Version |
---|---|---|---|
activesupport | lt | 3.2.13 | |
activesupport | lt | 3.1.12 |
lists.apple.com/archives/security-announce/2013/Jun/msg00000.html
lists.apple.com/archives/security-announce/2013/Oct/msg00006.html
support.apple.com/kb/HT5784
weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/
github.com/advisories/GHSA-9c2j-593q-3g82
github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2013-1856.yml
groups.google.com/group/rubyonrails-security/msg/6c2482d4ed1545e6?dmode=source&output=gplain
nvd.nist.gov/vuln/detail/CVE-2013-1856
web.archive.org/web/20130609174600/lists.apple.com/archives/security-announce/2013/Jun/msg00000.html
web.archive.org/web/20131109010518/lists.apple.com/archives/security-announce/2013/Oct/msg00006.html