Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2008-3790Improper Input Validation in Ruby

CWE-20Improper Input Validation8 documents7 sources
Severity
5.0MEDIUMNVD
EPSS
28.8%
top 3.44%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Ruby-lang Ruby
Timeline
PublishedAug 27
Latest updateMay 2

Description

The REXML module in Ruby 1.8.6 through 1.8.6-p287, 1.8.7 through 1.8.7-p72, and 1.9 allows context-dependent attackers to cause a denial of service (CPU consumption) via an XML document with recursively nested entities, aka an "XML entity explosion."

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages1 packages

NVDruby-lang/ruby1.8.6, 1.8.7, 1.9+2

Patches

Patch: www.ruby-lang.orgPatch: www.ruby-lang.orgPatch: www.ruby-lang.org

🔴Vulnerability Details

2
GHSA
GHSA-96jc-f6m3-pf2w: The REXML module in Ruby 12022-05-02
CVEList
CVE-2008-3790: The REXML module in Ruby 12008-08-27

💥Exploits & PoCs

1
Exploit-DB
Ruby 1.9 - REXML Remote Denial of Service2008-08-23

📋Vendor Advisories

3
Ubuntu
Ruby vulnerability2008-12-16
Ubuntu
Ruby vulnerabilities2008-10-10
Red Hat
ruby: DoS vulnerability in the REXML module2008-08-23

💬Community

1
Bugzilla
CVE-2008-3790 ruby: DoS vulnerability in the REXML module2008-08-26
CVE-2008-3790 — Improper Input Validation in Ruby | cvebase