DescriptionThe ActiveSupport::XmlMini_JDOM backend in lib/active_support/xml_mini/jdom.rb in the Active Support component in Ruby on Rails 3.0.x and 3.1.x before 3.1.12 and 3.2.x before 3.2.13, when JRuby is used, does not properly restrict the capabilities of the XML parser, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving (1) an external DTD or (2) an external entity declaration in conjunction with an entity reference.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)
Debian Bugs703350

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
rails (PTS)jessie2:4.1.8-1+deb8u4fixed
jessie (security)2:4.1.8-1+deb8u5fixed
buster, sid2:

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
railssource(unstable)(not affected)
ruby-activesupport-2.3source(unstable)(not affected)


- ruby-activesupport-2.3 <not-affected> (Only affects 3.x and later)
- rails <not-affected> (Only affects 3.x and later)
Starting with rails is a transition package

Search for package or bug name: Reporting problems