Published: 19/03/2013 Updated: 08/08/2019
CVSS v2 Base Score: 5.8 | Impact Score: 4.9 | Exploitability Score: 8.6
VMScore: 516
Vector: AV:N/AC:M/Au:N/C:P/I:N/A:P

Vulnerability Summary

The ActiveSupport::XmlMini_JDOM backend in lib/active_support/xml_mini/jdom.rb in the Active Support component in Ruby on Rails 3.0.x and 3.1.x prior to 3.1.12 and 3.2.x prior to 3.2.13, when JRuby is used, does not properly restrict the capabilities of the XML parser, which allows remote malicious users to read arbitrary files or cause a denial of service (resource consumption) via vectors involving (1) an external DTD or (2) an external entity declaration in conjunction with an entity reference.

Affected Products

Vendor Product Versions
RubyonrailsRails3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.1.9, 3.1.10, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.7, 3.2.8, 3.2.9, 3.2.10, 3.2.11, 3.2.12
RubyonrailsRuby On Rails3.1.11

Vendor Advisories

Debian Bug report logs - #703350 CVE-2013-1856 Package: ruby-activesupport-32; Maintainer for ruby-activesupport-32 is (unknown); Reported by: Moritz Muehlenhoff <jmm@debianorg> Date: Mon, 18 Mar 2013 17:45:05 UTC Severity: important Tags: security Fixed in version ruby-activesupport-32/326-6 Done: Ondřej Surý &l ...

Recent Articles

Ruby on Rails Patches DoS, XSS Vulnerabilities
Threatpost • Chris Brook • 19 Mar 2013

The developers of Ruby on Rails, the popular web app framework, released four new versions of the product yesterday, complete with fixes for a series of vulnerabilities that could have lead to denial of service attacks and XSS injections.
Four vulnerabilities in total are addressed in versions 3.2.13, 3.1.12 and 2.3.18 of Rails, according to a post to the company’s blog on Monday. “All versions are impacted by one or more of these security issues,” according to the post.<...