CVE-2015-3227 (Medium) detected in activesupport-3.0.9.gem
mend-bolt-for-github opened this issue · comments
CVE-2015-3227 - Medium Severity Vulnerability
Vulnerable Library - activesupport-3.0.9.gem
A toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Rich support for multibyte strings, internationalization, time zones, and testing.
Library home page: https://rubygems.org/gems/activesupport-3.0.9.gem
Dependency Hierarchy:
- rails-3.0.9.gem (Root Library)
- ❌ activesupport-3.0.9.gem (Vulnerable Library)
Found in HEAD commit: 0c785fd9400921392b8ee5e3e166f30364359ecc
Found in base branch: master
Vulnerability Details
The (1) jdom.rb and (2) rexml.rb components in Active Support in Ruby on Rails before 4.1.11 and 4.2.x before 4.2.2, when JDOM or REXML is enabled, allow remote attackers to cause a denial of service (SystemStackError) via a large XML document depth.
Publish Date: 2015-07-26
URL: CVE-2015-3227
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-3227
Release Date: 2015-07-26
Fix Resolution: 4.1.11,4.2.2
Step up your Open Source Security Game with WhiteSource here