CVE-2014-8080 — XML Entity Expansion in Ruby

CWE-776 — XML Entity Expansion17 documents10 sources

Severity

5.0MEDIUMNVD

EPSS

10.8%

top 6.63%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ruby-lang Ruby Canonical Ubuntu Linux Opensuse +1 more

Timeline

PublishedNov 3

Latest updateMay 14

Description

The REXML parser in Ruby 1.9.x before 1.9.3-p550, 2.0.x before 2.0.0-p594, and 2.1.x before 2.1.4 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document, aka an XML Entity Expansion (XEE) attack.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages2 packages

▶NVDruby-lang/ruby1.9.3+5

▶NVDopensuse/opensuse12.3, 13.1+1

Also affects: Ubuntu Linux 12.04, 14.04, 14.10, Enterprise Linux 6.0, 7.0

🔴Vulnerability Details

GHSA

GHSA-ggvr-v7qh-jwjh: The REXML parser in Ruby 1↗2022-05-14

▶

OSV

ruby1.8, ruby1.9.1, ruby2.0, ruby2.1 vulnerabilities↗2014-11-04

▶

CVEList

CVE-2014-8080: The REXML parser in Ruby 1↗2014-11-03

▶

OSV

CVE-2014-8080: The REXML parser in Ruby 1↗2014-10-29

▶

💥Exploits & PoCs

Exploit-DB

Xerox DocuShare - SQL Injection↗2014-04-15

▶

📋Vendor Advisories

Red Hat

ruby: REXML incomplete fix for CVE-2014-8080↗2014-11-13

▶

Ubuntu

Ruby vulnerabilities↗2014-11-04

▶

Red Hat

ruby: REXML billion laughs attack via parameter entity expansion↗2014-10-27

▶

Apple

CVE-2014-8080: OS X El Capitan v10.11↗

▶

📄Research Papers

CTF

Steel-Mountain / README↗

▶

💬Community

Bugzilla

CVE-2014-8090 ruby: REXML incomplete fix for CVE-2014-8080 [fedora-all]↗2018-02-05

▶

Bugzilla

CVE-2014-8090 jruby: ruby: REXML incomplete fix for CVE-2014-8080 [fedora-all]↗2018-02-05

▶

Bugzilla

CVE-2014-8090 ruby: REXML incomplete fix for CVE-2014-8080↗2014-11-03

▶

Bugzilla

CVE-2014-8080 jruby: ruby: REXML billion laughs attack via parameter entity expansion [fedora-all]↗2014-10-28

▶

Bugzilla

CVE-2014-8080 ruby: Denial Of Service XML Expansion [fedora-all]↗2014-10-28

▶