CVE-2013-1856 (Medium) detected in activesupport-3.0.9.gem
mend-bolt-for-github opened this issue · comments
CVE-2013-1856 - Medium Severity Vulnerability
Vulnerable Library - activesupport-3.0.9.gem
A toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Rich support for multibyte strings, internationalization, time zones, and testing.
Library home page: https://rubygems.org/gems/activesupport-3.0.9.gem
Dependency Hierarchy:
- rails-3.0.9.gem (Root Library)
- ❌ activesupport-3.0.9.gem (Vulnerable Library)
Found in HEAD commit: 0c785fd9400921392b8ee5e3e166f30364359ecc
Found in base branch: master
Vulnerability Details
The ActiveSupport::XmlMini_JDOM backend in lib/active_support/xml_mini/jdom.rb in the Active Support component in Ruby on Rails 3.0.x and 3.1.x before 3.1.12 and 3.2.x before 3.2.13, when JRuby is used, does not properly restrict the capabilities of the XML parser, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving (1) an external DTD or (2) an external entity declaration in conjunction with an entity reference.
Publish Date: 2013-03-19
URL: CVE-2013-1856
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2013-1856
Release Date: 2013-03-19
Fix Resolution: 3.1.12,3.2.13
Step up your Open Source Security Game with WhiteSource here