XML Parsing Flaw in Ruby on Rails Active Support Component
CVE-2013-1856

Currently unrated

Key Information:

Vendor: Rubyonrails
Status: Ruby On Rails; Rails
Vendor: CVE Published:; 19 March 2013

🔔 Create Rubyonrails Vulnerability Alert

What is CVE-2013-1856?

In Ruby on Rails, the ActiveSupport::XmlMini_JDOM backend is vulnerable when used with JRuby, failing to properly restrict XML parser capabilities. This flaw allows remote attackers to exploit the application, potentially leading to unauthorized access to sensitive files or triggering denial of service through resource exhaustion via external DTDs or entity references.

References

http://lists.apple.com/archives/security-announce/2013/Oc...

vendor-advisoryx_refsource_APPLE

http://support.apple.com/kb/HT5784

x_refsource_CONFIRM

http://lists.apple.com/archives/security-announce/2013/Ju...

vendor-advisoryx_refsource_APPLE

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 19, 2013
Vulnerability Reserved
Feb 19, 2013