CVE-2013-1856

NameCVE-2013-1856
DescriptionThe ActiveSupport::XmlMini_JDOM backend in lib/active_support/xml_mini/jdom.rb in the Active Support component in Ruby on Rails 3.0.x and 3.1.x before 3.1.12 and 3.2.x before 3.2.13, when JRuby is used, does not properly restrict the capabilities of the XML parser, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving (1) an external DTD or (2) an external entity declaration in conjunction with an entity reference.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)
Debian Bugs703350

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
rails (PTS)jessie (security), jessie2:4.1.8-1+deb8u4fixed
stretch2:4.2.7.1-1fixed
buster2:4.2.10-1fixed
sid2:5.2.2+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
railssource(unstable)(not affected)
ruby-activesupport-2.3source(unstable)(not affected)
ruby-activesupport-3.2source(unstable)3.2.6-6medium703350

Notes

- ruby-activesupport-2.3 <not-affected> (Only affects 3.x and later)
- rails <not-affected> (Only affects 3.x and later)
Starting with 2.3.14.1 rails is a transition package

Search for package or bug name: Reporting problems