CVE-2013-1821 — Improper Input Validation in Ruby

CWE-20 — Improper Input Validation CWE-400 — Uncontrolled Resource Consumption CWE-776 — XML Entity Expansion10 documents7 sources

Severity

5.0MEDIUMNVD

EPSS

20.7%

top 4.40%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ruby-lang Ruby

Timeline

PublishedApr 9

Latest updateMay 17

Description

lib/rexml/text.rb in the REXML parser in Ruby before 1.9.3-p392 allows remote attackers to cause a denial of service (memory consumption and crash) via crafted text nodes in an XML document, aka an XML Entity Expansion (XEE) attack.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages1 packages

▶NVDruby-lang/ruby1.9.3+6

🔴Vulnerability Details

GHSA

Ruby vulnerable to denial of service↗2022-05-17

▶

OSV

Ruby vulnerable to denial of service↗2022-05-17

▶

CVEList

CVE-2013-1821: lib/rexml/text↗2013-04-09

▶

📋Vendor Advisories

Red Hat

ruby: REXML incomplete fix for CVE-2014-8080↗2014-11-13

▶

Ubuntu

Ruby vulnerability↗2013-03-25

▶

Red Hat

ruby: entity expansion DoS vulnerability in REXML↗2013-02-22

▶

💬Community

Bugzilla

CVE-2013-0269 CVE-2013-1821 JRuby 1.7.2 multiple security flaws [fedora-rawhide]↗2013-06-13

▶

Bugzilla

CVE-2013-1821 ruby: entity expansion DoS vulnerability in REXML↗2013-02-22

▶

Bugzilla

CVE-2013-1821 ruby: entity expansion DoS vulnerability in REXML [fedora-all]↗2013-02-22

▶