CVE-2013-1856

NameCVE-2013-1856
DescriptionThe ActiveSupport::XmlMini_JDOM backend in lib/active_support/xml_mini/jdom.rb in the Active Support component in Ruby on Rails 3.0.x and 3.1.x before 3.1.12 and 3.2.x before 3.2.13, when JRuby is used, does not properly restrict the capabilities of the XML parser, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving (1) an external DTD or (2) an external entity declaration in conjunction with an entity reference.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium
Debian Bugs703350

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
rails (PTS)stretch2:4.2.7.1-1+deb9u2fixed
stretch (security)2:4.2.7.1-1+deb9u3fixed
buster2:5.2.2.1+dfsg-1+deb10u1fixed
bullseye2:5.2.4.3+dfsg-2fixed
sid2:6.0.3.2+dfsg-7fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
railssource(unstable)(not affected)
ruby-activesupport-2.3source(unstable)(not affected)
ruby-activesupport-3.2source(unstable)3.2.6-6703350

Notes

- ruby-activesupport-2.3 <not-affected> (Only affects 3.x and later)
- rails <not-affected> (Only affects 3.x and later)
Starting with 2.3.14.1 rails is a transition package

Search for package or bug name: Reporting problems