732 matches found
CVE-2014-8090
The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service CPU and memory consumption a crafted XML document containing an empty string in an entity that is used in a large number of...
EUVD-2014-7937
The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service CPU and memory consumption a crafted XML document containing an empty string in an entity that is used in a large number of...
CVE-2014-8090
The CVE-2014-8090 issue is a vulnerability in Ruby’s REXML XML parser that can be exploited via crafted XML documents containing an empty string in repeated nested entities, causing CPU and memory exhaustion (XEE). Affected are Ruby 1.9.x before 1.9.3 patchlevel 551, Ruby 2.0.x before 2.0.0 patch...
Updated ruby packages fix security vulnerabilities
Will Wood discovered that Ruby incorrectly handled the encodes function. An attacker could possibly use this issue to cause Ruby to crash, resulting in a denial of service, or possibly execute arbitrary code. The default compiler options for affected releases should reduce the vulnerability to a...
Ruby 'REXML' parser DoS Vulnerability (Nov 2014) - Windows
Ruby is prone to a denial of service DoS vulnerability. SPDX-FileCopyrightText: 2014 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:ruby-lang:ruby";...
DLA-88-1 ruby1.8 - security update
Bulletin has no description...
Amazon Linux AMI : ruby19 (ALAS-2014-447)
The upstream patch for CVE-2014-8080 introduced checks against the REXML.entityexpansiontextlimit, but did not add restrictions to limit the number of expansions performed, i.e. checks against the REXML::Document.entityexpansionlimit. As a consequence, even with the patch applied, a small XML...
Amazon Linux AMI : ruby21 (ALAS-2014-449)
The upstream patch for CVE-2014-8080 introduced checks against the REXML.entityexpansiontextlimit, but did not add restrictions to limit the number of expansions performed, i.e. checks against the REXML::Document.entityexpansionlimit. As a consequence, even with the patch applied, a small XML...
Mantis Bug Tracker 1.2.0a3 < 1.2.17 XmlImportExport Plugin - PHP Code Injection (Metasploit) (1)
This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class MetasploitModule 'MantisBT XmlImportExport Plugin PHP Code Injection Vulnerability', 'Description' = %q This module exploits a post-auth...
ruby: denial of service
CPU exhaustion can occur as a result of recursive expansion with an empty string. When reading text nodes from an XML document, the REXML parser can be coerced into allocating extremely large string objects which can consume all of the memory on a machine, causing a denial of service...
MGASA-2014-0443 Updated ruby packages fix CVE-2014-8080
Updated ruby packages fix security vulnerability: Due to unrestricted entity expansion, when reading text nodes from an XML document, the REXML parser in Ruby can be coerced into allocating extremely large string objects which can consume all of the memory on a machine, causing a denial of servic...
Updated ruby packages fix CVE-2014-8080
Updated ruby packages fix security vulnerability: Due to unrestricted entity expansion, when reading text nodes from an XML document, the REXML parser in Ruby can be coerced into allocating extremely large string objects which can consume all of the memory on a machine, causing a denial of servic...
CVE-2014-8090
The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service CPU and memory consumption a crafted XML document containing an empty string in an entity that is used in a large number of...
Medium: ruby21
Issue Overview: The upstream patch for CVE-2014-8080 introduced checks against the REXML.entityexpansiontextlimit, but did not add restrictions to limit the number of expansions performed, i.e. checks against the REXML::Document.entityexpansionlimit. As a consequence, even with the patch applied,...
Medium: ruby19
Issue Overview: The upstream patch for CVE-2014-8080 introduced checks against the REXML.entityexpansiontextlimit, but did not add restrictions to limit the number of expansions performed, i.e. checks against the REXML::Document.entityexpansionlimit. As a consequence, even with the patch applied,...
Medium: ruby20
Issue Overview: The upstream patch for CVE-2014-8080 introduced checks against the REXML.entityexpansiontextlimit, but did not add restrictions to limit the number of expansions performed, i.e. checks against the REXML::Document.entityexpansionlimit. As a consequence, even with the patch applied,...
CVE-2014-8090 ruby: REXML incomplete fix for CVE-2014-8080
The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service CPU and memory consumption a crafted XML document containing an empty string in an entity that is used in a large number of...
Amazon Linux AMI : ruby21 (ALAS-2014-439)
The REXML parser in Ruby 1.9.x before 1.9.3-p550, 2.0.x before 2.0.0-p594, and 2.1.x before 2.1.4 allows remote attackers to cause a denial of service memory consumption via a crafted XML document, aka an XML Entity Expansion XEE attack. C Tenable Network Security, Inc. The descriptive text and...
Amazon Linux AMI : ruby20 (ALAS-2014-441)
The REXML parser in Ruby 1.9.x before 1.9.3-p550, 2.0.x before 2.0.0-p594, and 2.1.x before 2.1.4 allows remote attackers to cause a denial of service memory consumption via a crafted XML document, aka an XML Entity Expansion XEE attack. C Tenable Network Security, Inc. The descriptive text and...
Medium: ruby21
Issue Overview: The REXML parser in Ruby 1.9.x before 1.9.3-p550, 2.0.x before 2.0.0-p594, and 2.1.x before 2.1.4 allows remote attackers to cause a denial of service memory consumption via a crafted XML document, aka an XML Entity Expansion XEE attack. Affected Packages: ruby21 Issue Correction:...