CVE-2013-1856 – activesupport

Package

Manager: gem
Name: activesupport
Vulnerable Version: >=3.0.0 <3.1.12 || >=3.2.0 <3.2.13

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00773 pctl0.7266

Details

activesupport Improper Input Validation vulnerability The `ActiveSupport::XmlMini_JDOM` backend in `lib/active_support/xml_mini/jdom.rb` in the Active Support component in Ruby on Rails 3.0.x and 3.1.x before 3.1.12 and 3.2.x before 3.2.13, when JRuby is used, does not properly restrict the capabilities of the XML parser, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving (1) an external DTD or (2) an external entity declaration in conjunction with an entity reference.

Metadata

Created: 2017-10-24T18:33:37Z
Modified: 2023-06-01T19:51:36Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-9c2j-593q-3g82/GHSA-9c2j-593q-3g82.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-9c2j-593q-3g82
Finding: F184
Auto approve: 1