GHSA-9c2j-593q-3g82
Suggest an improvement- Source
- https://github.com/advisories/GHSA-9c2j-593q-3g82
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-9c2j-593q-3g82/GHSA-9c2j-593q-3g82.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-9c2j-593q-3g82
- Aliases
-
- CVE-2013-1856
- Published
- 2017-10-24T18:33:37Z
- Modified
- 2024-12-05T05:33:43.658748Z
- Summary
- activesupport Improper Input Validation vulnerability
- Details
-
The
ActiveSupport::XmlMini_JDOMbackend inlib/active_support/xml_mini/jdom.rbin the Active Support component in Ruby on Rails 3.0.x and 3.1.x before 3.1.12 and 3.2.x before 3.2.13, when JRuby is used, does not properly restrict the capabilities of the XML parser, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving (1) an external DTD or (2) an external entity declaration in conjunction with an entity reference. - Database specific
{ "nvd_published_at": "2013-03-19T22:55:01Z", "cwe_ids": [ "CWE-20" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:28:09Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2013-1856
- https://github.com/rails/rails
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2013-1856.yml
- https://groups.google.com/group/rubyonrails-security/msg/6c2482d4ed1545e6?dmode=source&output=gplain
- https://web.archive.org/web/20130609174600/http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html
- https://web.archive.org/web/20131109010518/http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html
- http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html
- http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html
- http://support.apple.com/kb/HT5784
- http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released
Affected packages
RubyGems / activesupport
Package
- Name
- activesupport
- Purl
- pkg:gem/activesupport
Affected versions
3.*
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4.rc1
3.0.4
3.0.5.rc1
3.0.5
3.0.6.rc1
3.0.6.rc2
3.0.6
3.0.7.rc1
3.0.7.rc2
3.0.7
3.0.8.rc1
3.0.8.rc2
3.0.8.rc4
3.0.8
3.0.9.rc1
3.0.9.rc3
3.0.9.rc4
3.0.9.rc5
3.0.9
3.0.10.rc1
3.0.10
3.0.11
3.0.12.rc1
3.0.12
3.0.13.rc1
3.0.13
3.0.14
3.0.15
3.0.16
3.0.17
3.0.18
3.0.19
3.0.20
3.1.0.beta1
3.1.0.rc1
3.1.0.rc2
3.1.0.rc3
3.1.0.rc4
3.1.0.rc5
3.1.0.rc6
3.1.0.rc8
3.1.0
3.1.1.rc1
3.1.1.rc2
3.1.1.rc3
3.1.1
3.1.2.rc1
3.1.2.rc2
3.1.2
3.1.3
3.1.4.rc1
3.1.4
3.1.5.rc1
3.1.5
3.1.6
3.1.7
3.1.8
3.1.9
3.1.10
3.1.11
RubyGems / activesupport
Package
- Name
- activesupport
- Purl
- pkg:gem/activesupport