CVE-2013-1821
published 2013-04-09CVE-2013-1821: lib/rexml/text.rb in the REXML parser in Ruby before 1.9.3-p392 allows remote attackers to cause a denial of service (memory consumption and crash) via crafted…
PriorityP427medium5CVSS 2.0
AVNACLAuNCNINAP
EPSS
6.62%
93.0th percentile
lib/rexml/text.rb in the REXML parser in Ruby before 1.9.3-p392 allows remote attackers to cause a denial of service (memory consumption and crash) via crafted text nodes in an XML document, aka an XML Entity Expansion (XEE) attack.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ruby-lang | ruby | <= 1.9.3 | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv5.0MEDIUM
vendor_redhat5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
ruby: REXML incomplete fix for CVE-2014-8080
vendor_redhat·2014-11-13·CVSS 5.0
CVE-2014-8090 [MEDIUM] CWE-776 ruby: REXML incomplete fix for CVE-2014-8080
ruby: REXML incomplete fix for CVE-2014-8080
The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption) a crafted XML document containing an empty string in an entity that is used in a large number of nested entity references, aka an XML Entity Expansion (XEE) attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-1821 and CVE-2014-8080.
Statement: Red Hat JBoss SOA Platform 5 is now in Maintenance Support phase receiving only qualified Important and Critical impact security fixes; and Red Hat JBoss SOA Platform 4.3 is now in Extended Life Support phase receiving only Critical impact security fixes. This issue has been rat
Ubuntu
Ruby vulnerability
vendor_ubuntu·2013-03-25
CVE-2013-1821 Ruby vulnerability
Title: Ruby vulnerability
Summary: Ruby could be made to hang if it received specially crafted input.
Ben Murphy discovered that the Ruby REXML library incorrectly handled XML
entity expansion. An attacker could use this flaw to cause Ruby to consume
large amounts of memory, resulting in a denial of service.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
ruby: entity expansion DoS vulnerability in REXML
vendor_redhat·2013-02-22·CVSS 5.0
CVE-2013-1821 [MEDIUM] ruby: entity expansion DoS vulnerability in REXML
ruby: entity expansion DoS vulnerability in REXML
lib/rexml/text.rb in the REXML parser in Ruby before 1.9.3-p392 allows remote attackers to cause a denial of service (memory consumption and crash) via crafted text nodes in an XML document, aka an XML Entity Expansion (XEE) attack.
Package: ruby193-ruby (OpenShift Enterprise 1) - Affected
Package: jruby (Red Hat JBoss SOA Platform 4) - Will not fix
Package: jruby (Red Hat JBoss SOA Platform 5) - Affected
GHSA
Ruby vulnerable to denial of service
ghsa·2022-05-17
CVE-2013-1821 [MEDIUM] CWE-400 Ruby vulnerable to denial of service
Ruby vulnerable to denial of service
When reading text nodes from an XML document, the REXML parser can be coerced in to allocating extremely large string objects which can consume all of the memory on a machine, causing a denial of service.
Jruby resolves this bug in version 1.7.3 as noted in https://www.jruby.org/2013/02/21/jruby-1-7-3.html
OSV
Ruby vulnerable to denial of service
osv·2022-05-17
CVE-2013-1821 [MEDIUM] Ruby vulnerable to denial of service
Ruby vulnerable to denial of service
When reading text nodes from an XML document, the REXML parser can be coerced in to allocating extremely large string objects which can consume all of the memory on a machine, causing a denial of service.
Jruby resolves this bug in version 1.7.3 as noted in https://www.jruby.org/2013/02/21/jruby-1-7-3.html
GHSA
GHSA-2x97-vvh4-m4q4: The REXML parser in Ruby 1
ghsa_unreviewed·2022-05-17·CVSS 5.0
CVE-2014-8090 [MEDIUM] GHSA-2x97-vvh4-m4q4: The REXML parser in Ruby 1
The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption) a crafted XML document containing an empty string in an entity that is used in a large number of nested entity references, aka an XML Entity Expansion (XEE) attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-1821 and CVE-2014-8080.
OSV
CVE-2014-8090: The REXML parser in Ruby 1
osv·2014-11-14·CVSS 5.0
CVE-2014-8090 [MEDIUM] CVE-2014-8090: The REXML parser in Ruby 1
The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption) a crafted XML document containing an empty string in an entity that is used in a large number of nested entity references, aka an XML Entity Expansion (XEE) attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-1821 and CVE-2014-8080.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2014-8090 ruby: REXML incomplete fix for CVE-2014-8080
bugzilla·2014-11-03·CVSS 5.0
CVE-2014-8090 [MEDIUM] CVE-2014-8090 ruby: REXML incomplete fix for CVE-2014-8080
CVE-2014-8090 ruby: REXML incomplete fix for CVE-2014-8080
The CVE-2014-8080 (tracked via bug 1157709) was assigned to a "billion laughs" issue affecting the Ruby REXML XML parser. The issue affected expansion of parameter entities, making it possible for a small XML document to cause the parser to use excessive amount of CPU and memory while parsing.
The upstream patch for CVE-2014-8080 introduced checks against the REXML.entity_expansion_text_limit, but did not add restrictions to limit the number of expansions performed, i.e. checks against the REXML::Document.entity_expansion_limit. As a consequence, even with the patch applied, a small XML document could cause REXML to use an excessive amount of CPU time. High memory usage can be achieved using larger inputs.
Note that similar issu
Bugzilla
CVE-2014-8080 ruby: REXML billion laughs attack via parameter entity expansion
bugzilla·2014-10-27·CVSS 5.0
CVE-2014-8080 [MEDIUM] CVE-2014-8080 ruby: REXML billion laughs attack via parameter entity expansion
CVE-2014-8080 ruby: REXML billion laughs attack via parameter entity expansion
Upstream released new version of Ruby [1] which fixes DoS during XML expansion.
Upstream commit fixing this: http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/?pathrev=48161
[1]: https://www.ruby-lang.org/en/news/2014/10/27/rexml-dos-cve-2014-8080/
Discussion:
Created ruby tracking bugs for this issue:
Affects: fedora-all [bug 1157936]
---
(In reply to Vasyl Kaigorodov from comment #0)
> Upstream commit fixing this:
> http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/?pathrev=48161
The actual commit is:
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=48161
It also provides more details of the issue, which were excluded form the upstream advisory. This issue is a "billion laughs" issue, using par
Bugzilla
CVE-2013-0269 CVE-2013-1821 JRuby 1.7.2 multiple security flaws [fedora-rawhide]
bugzilla·2013-06-13·CVSS 7.5
CVE-2013-0269 [HIGH] CVE-2013-0269 CVE-2013-1821 JRuby 1.7.2 multiple security flaws [fedora-rawhide]
CVE-2013-0269 CVE-2013-1821 JRuby 1.7.2 multiple security flaws [fedora-rawhide]
Fedora has jruby 1.7.2 which contains known CVEs and fixed in version 1.7.3 http://www.jruby.org/2013/02/21/jruby-1-7-3.html . Meantime 1.7.4 is released and it's probably best to update to it directly.
Discussion:
Thanks for this, Alexander. The two CVEs that are corrected are CVE-2013-0269 and CVE-2013-1821. I'm going to link those bugs and turn this into a tracking bug. I've looked on the upstream page and can't see anything about 1.6.x being affected by these, but it wouldn't surprise me if they were, so this may be an issue for Fedora 17 and 18 as well (unknown).
---
This bug appears to have been reported against 'rawhide' during the Fedora 20 development cycle.
Changing version to '20'.
More inform
Bugzilla
CVE-2013-1821 ruby: entity expansion DoS vulnerability in REXML
bugzilla·2013-02-22·CVSS 5.0
CVE-2013-1821 [MEDIUM] CVE-2013-1821 ruby: entity expansion DoS vulnerability in REXML
CVE-2013-1821 ruby: entity expansion DoS vulnerability in REXML
An unrestricted entity expansion flaw was reported in Ruby that can lead to a denial of service in REXML. When reading text nodes from an XML document, the REXML parser could be coerced into allocating extremely large string objects which could consume all available memory on the system.
Impacted code would look similar to the following:
document = REXML::Document.new some_xml_doc
document.root.text
In this case, when the 'text' method is called, entities will be expanded. An attacker could send a relatively small XML document that, when the entities were resolved, would consume extremely large amounts of memory on the target system. It is noted that this vulnerability is similar to the 'Billion Laughs' attack, and is also
Bugzilla
CVE-2013-1821 ruby: entity expansion DoS vulnerability in REXML [fedora-all]
bugzilla·2013-02-22·CVSS 5.0
CVE-2013-1821 [MEDIUM] CVE-2013-1821 ruby: entity expansion DoS vulnerability in REXML [fedora-all]
CVE-2013-1821 ruby: entity expansion DoS vulnerability in REXML [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please note: this issue affe
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702525http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00001.htmlhttp://lists.opensuse.org/opensuse-security-announce/2013-04/msg00015.htmlhttp://lists.opensuse.org/opensuse-updates/2013-04/msg00034.htmlhttp://lists.opensuse.org/opensuse-updates/2013-04/msg00036.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0611.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0612.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1028.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1147.htmlhttp://secunia.com/advisories/52783http://secunia.com/advisories/52902http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=39384http://www.debian.org/security/2013/dsa-2738http://www.debian.org/security/2013/dsa-2809http://www.mandriva.com/security/advisories?name=MDVSA-2013:124http://www.openwall.com/lists/oss-security/2013/03/06/5http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.htmlhttp://www.ruby-lang.org/en/news/2013/02/22/rexml-dos-2013-02-22/http://www.securityfocus.com/bid/58141http://www.slackware.com/security/viewer.php?l=slackware-security&y=2013&m=slackware-security.426862http://www.ubuntu.com/usn/USN-1780-1https://bugzilla.redhat.com/show_bug.cgi?id=914716https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0092http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702525http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00001.htmlhttp://lists.opensuse.org/opensuse-security-announce/2013-04/msg00015.htmlhttp://lists.opensuse.org/opensuse-updates/2013-04/msg00034.htmlhttp://lists.opensuse.org/opensuse-updates/2013-04/msg00036.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0611.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0612.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1028.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1147.htmlhttp://secunia.com/advisories/52783http://secunia.com/advisories/52902http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=39384http://www.debian.org/security/2013/dsa-2738http://www.debian.org/security/2013/dsa-2809http://www.mandriva.com/security/advisories?name=MDVSA-2013:124http://www.openwall.com/lists/oss-security/2013/03/06/5http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.htmlhttp://www.ruby-lang.org/en/news/2013/02/22/rexml-dos-2013-02-22/http://www.securityfocus.com/bid/58141http://www.slackware.com/security/viewer.php?l=slackware-security&y=2013&m=slackware-security.426862http://www.ubuntu.com/usn/USN-1780-1https://bugzilla.redhat.com/show_bug.cgi?id=914716https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0092
2013-04-09
Published