multi_xml gem 0.5.2 for Ruby, as used in Grape prior to 0.2.6 and possibly other products, does not properly restrict casts of string values, which allows remote malicious users to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
erik_michaels-ober multi_xml 0.5.2 |
||
grape project grape 0.2.4 |
||
grape project grape 0.2.0 |
||
grape project grape 0.1.5 |
||
grape project grape 0.1.4 |
||
grape project grape 0.2.2 |
||
grape project grape 0.2.3 |
||
grape project grape 0.2.5 |
||
grape project grape 0.1.2 |
||
grape project grape 0.1.3 |
||
erik michaels-ober multi xml 0.5.2 |
||
grape project grape 0.2.1 |
||
grape project grape 0.1.1 |
||
grape project grape 0.1.0 |