CVE-2013-1856Improper Input Validation in Rails

CWE-20Improper Input Validation7 documents6 sources
Severity
5.8MEDIUMNVD
EPSS
0.7%
top 27.80%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Rubyonrails RailsRubyonrails Ruby ON Rails
Timeline
PublishedMar 19
Latest updateOct 24

Description

The ActiveSupport::XmlMini_JDOM backend in lib/active_support/xml_mini/jdom.rb in the Active Support component in Ruby on Rails 3.0.x and 3.1.x before 3.1.12 and 3.2.x before 3.2.13, when JRuby is used, does not properly restrict the capabilities of the XML parser, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving (1) an external DTD or (2) an external entity declaration in conjunction with an entity reference.

CVSS vector

AV:N/AC:M/C:P/I:N/A:PExploitability: 8.6 | Impact: 4.9

Affected Packages2 packages

NVDrubyonrails/rails24 versions+23

🔴Vulnerability Details

3
OSV
activesupport Improper Input Validation vulnerability2017-10-24
GHSA
activesupport Improper Input Validation vulnerability2017-10-24
CVEList
CVE-2013-1856: The ActiveSupport::XmlMini_JDOM backend in lib/active_support/xml_mini/jdom2013-03-19

📋Vendor Advisories

1
Debian
CVE-2013-1856: rails - The ActiveSupport::XmlMini_JDOM backend in lib/active_support/xml_mini/jdom.rb i...2013

💬Community

2
Bugzilla
CVE-2013-1856 rubygem-activesupport: jdom: XML Parsing Vulnerability affecting JRuby users [fedora-all]2013-03-18
Bugzilla
CVE-2013-1856 rubygem-activesupport: jdom: XML Parsing Vulnerability affecting JRuby users2013-03-14
CVE-2013-1856 — Improper Input Validation in Rails | cvebase