5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:N/A:P
0.013 Low
EPSS
Percentile
85.6%
The ActiveSupport::XmlMini_JDOM backend in
lib/active_support/xml_mini/jdom.rb in the Active Support component in Ruby
on Rails 3.0.x and 3.1.x before 3.1.12 and 3.2.x before 3.2.13, when JRuby
is used, does not properly restrict the capabilities of the XML parser,
which allows remote attackers to read arbitrary files or cause a denial of
service (resource consumption) via vectors involving (1) an external DTD or
(2) an external entity declaration in conjunction with an entity reference.
Author | Note |
---|---|
mdeslaur | in Oneiric+, rails package is just for transition |
jdstrand | per upstream, rails 2.3 not affected |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 14.04 | noarch | ruby-activesupport-3.2 | <Β 3.2.6-5 | UNKNOWN |