CVE-2014-8090XML Entity Expansion in Ruby

CWE-776XML Entity Expansion10 documents8 sources
Severity
5.0MEDIUMNVD
EPSS
10.5%
top 6.74%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Ruby-lang Ruby
Timeline
PublishedNov 21
Latest updateMay 17

Description

The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption) a crafted XML document containing an empty string in an entity that is used in a large number of nested entity references, aka an XML Entity Expansion (XEE) attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-1821 and CVE-2014-8080.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages1 packages

NVDruby-lang/ruby1.9.3+6

Patches

Patch: www.ubuntu.comPatch: www.ubuntu.com

🔴Vulnerability Details

3
GHSA
GHSA-2x97-vvh4-m4q4: The REXML parser in Ruby 12022-05-17
CVEList
CVE-2014-8090: The REXML parser in Ruby 12014-11-21
OSV
CVE-2014-8090: The REXML parser in Ruby 12014-11-14

📋Vendor Advisories

3
Ubuntu
Ruby vulnerability2014-11-20
Red Hat
ruby: REXML incomplete fix for CVE-2014-80802014-11-13
Apple
CVE-2014-8090: OS X El Capitan v10.11

💬Community

3
Bugzilla
CVE-2014-8090 ruby: REXML incomplete fix for CVE-2014-8080 [fedora-all]2018-02-05
Bugzilla
CVE-2014-8090 jruby: ruby: REXML incomplete fix for CVE-2014-8080 [fedora-all]2018-02-05
Bugzilla
CVE-2014-8090 ruby: REXML incomplete fix for CVE-2014-80802014-11-03
CVE-2014-8090 — XML Entity Expansion in Ruby-lang Ruby | cvebase