CVE-2015-3227 — Uncontrolled Resource Consumption in Rails

CWE-400 — Uncontrolled Resource Consumption10 documents7 sources

Severity

5.0MEDIUMNVD

EPSS

2.7%

top 14.13%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Rubyonrails Rails Opensuse

Timeline

PublishedJul 26

Latest updateOct 24

Description

The (1) jdom.rb and (2) rexml.rb components in Active Support in Ruby on Rails before 4.1.11 and 4.2.x before 4.2.2, when JDOM or REXML is enabled, allow remote attackers to cause a denial of service (SystemStackError) via a large XML document depth.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages3 packages

▶Debianrubyonrails/rails< 2:4.2.4-2+3

▶NVDrubyonrails/rails11 versions+10

▶NVDopensuse/opensuse13.1, 13.2+1

🔴Vulnerability Details

GHSA

activesupport vulnerable to Denial of Service via large XML document depth↗2017-10-24

▶

OSV

activesupport vulnerable to Denial of Service via large XML document depth↗2017-10-24

▶

CVEList

CVE-2015-3227: The (1) jdom↗2015-07-26

▶

OSV

CVE-2015-3227: The (1) jdom↗2015-07-26

▶

📋Vendor Advisories

Red Hat

rubygem-activesupport: Possible Denial of Service attack in Active Support in merge_element()↗2015-06-16

▶

Debian

CVE-2015-3227: rails - The (1) jdom.rb and (2) rexml.rb components in Active Support in Ruby on Rails b...↗2015

▶

💬Community

Bugzilla

CVE-2015-3227 rubygem-activesupport: Possible Denial of Service attack in Active Support in merge_element() [fedora-all]↗2015-07-31

▶

Bugzilla

CVE-2015-3227 rubygem-activesupport: Possible Denial of Service attack in Active Support in merge_element() [epel-all]↗2015-07-31

▶

Bugzilla

CVE-2015-3227 rubygem-activesupport: Possible Denial of Service attack in Active Support in merge_element()↗2015-06-16

▶