CVE-2013-1821

ruby: entity expansion DoS vulnerability in REXML

Severity Score

5.0

*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

lib/rexml/text.rb in the REXML parser in Ruby before 1.9.3-p392 allows remote attackers to cause a denial of service (memory consumption and crash) via crafted text nodes in an XML document, aka an XML Entity Expansion (XEE) attack.

lib/rexml/text.rb en el analizador REXML en Ruby anterior a 1.9.3-p392, permite a atacantes remotos provocar una denegación de servicio (consumo de memoria o caída de la aplicación) a través de nodos de texto manipulados en un documento XML. Aka como ataque XML Entity Expansion (XEE).

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2013-02-19 CVE Reserved
2013-03-08 CVE Published
2024-05-03 EPSS Updated
2024-08-06 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-20: Improper Input Validation

CAPEC

References (24)

URL	Tag	Source
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702525	X_refsource_misc
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=39384	X_refsource_confirm
http://www.openwall.com/lists/oss-security/2013/03/06/5	Mailing List
http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html	X_refsource_confirm
http://www.securityfocus.com/bid/58141	Vdb Entry
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0092	X_refsource_confirm

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00001.html	2016-12-08
http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00015.html	2016-12-08
http://lists.opensuse.org/opensuse-updates/2013-04/msg00034.html	2016-12-08
http://lists.opensuse.org/opensuse-updates/2013-04/msg00036.html	2016-12-08
http://rhn.redhat.com/errata/RHSA-2013-0611.html	2016-12-08
http://rhn.redhat.com/errata/RHSA-2013-0612.html	2016-12-08
http://rhn.redhat.com/errata/RHSA-2013-1028.html	2016-12-08
http://rhn.redhat.com/errata/RHSA-2013-1147.html	2016-12-08
http://secunia.com/advisories/52783	2016-12-08
http://secunia.com/advisories/52902	2016-12-08
http://www.debian.org/security/2013/dsa-2738	2016-12-08
http://www.debian.org/security/2013/dsa-2809	2016-12-08
http://www.mandriva.com/security/advisories?name=MDVSA-2013:124	2016-12-08
http://www.ruby-lang.org/en/news/2013/02/22/rexml-dos-2013-02-22	2016-12-08
http://www.slackware.com/security/viewer.php?l=slackware-security&y=2013&m=slackware-security.426862	2016-12-08
http://www.ubuntu.com/usn/USN-1780-1	2016-12-08
https://bugzilla.redhat.com/show_bug.cgi?id=914716	2013-08-29
https://access.redhat.com/security/cve/CVE-2013-1821	2013-08-29

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Ruby-lang Search vendor "Ruby-lang"		Ruby Search vendor "Ruby-lang" for product "Ruby"				<= 1.9.3 Search vendor "Ruby-lang" for product "Ruby" and version " <= 1.9.3"		p385		Affected
Ruby-lang Search vendor "Ruby-lang"		Ruby Search vendor "Ruby-lang" for product "Ruby"				1.9 Search vendor "Ruby-lang" for product "Ruby" and version "1.9"		-		Affected
Ruby-lang Search vendor "Ruby-lang"		Ruby Search vendor "Ruby-lang" for product "Ruby"				1.9.1 Search vendor "Ruby-lang" for product "Ruby" and version "1.9.1"		-		Affected
Ruby-lang Search vendor "Ruby-lang"		Ruby Search vendor "Ruby-lang" for product "Ruby"				1.9.2 Search vendor "Ruby-lang" for product "Ruby" and version "1.9.2"		-		Affected
Ruby-lang Search vendor "Ruby-lang"		Ruby Search vendor "Ruby-lang" for product "Ruby"				1.9.3 Search vendor "Ruby-lang" for product "Ruby" and version "1.9.3"		-		Affected
Ruby-lang Search vendor "Ruby-lang"		Ruby Search vendor "Ruby-lang" for product "Ruby"				1.9.3 Search vendor "Ruby-lang" for product "Ruby" and version "1.9.3"		p0		Affected
Ruby-lang Search vendor "Ruby-lang"		Ruby Search vendor "Ruby-lang" for product "Ruby"				1.9.3 Search vendor "Ruby-lang" for product "Ruby" and version "1.9.3"		p125		Affected
Ruby-lang Search vendor "Ruby-lang"		Ruby Search vendor "Ruby-lang" for product "Ruby"				1.9.3 Search vendor "Ruby-lang" for product "Ruby" and version "1.9.3"		p194		Affected
Ruby-lang Search vendor "Ruby-lang"		Ruby Search vendor "Ruby-lang" for product "Ruby"				1.9.3 Search vendor "Ruby-lang" for product "Ruby" and version "1.9.3"		p286		Affected
Ruby-lang Search vendor "Ruby-lang"		Ruby Search vendor "Ruby-lang" for product "Ruby"				1.9.3 Search vendor "Ruby-lang" for product "Ruby" and version "1.9.3"		p383		Affected
Ruby-lang Search vendor "Ruby-lang"		Ruby Search vendor "Ruby-lang" for product "Ruby"				2.0 Search vendor "Ruby-lang" for product "Ruby" and version "2.0"		-		Affected
Ruby-lang Search vendor "Ruby-lang"		Ruby Search vendor "Ruby-lang" for product "Ruby"				2.0.0 Search vendor "Ruby-lang" for product "Ruby" and version "2.0.0"		-		Affected
Ruby-lang Search vendor "Ruby-lang"		Ruby Search vendor "Ruby-lang" for product "Ruby"				2.0.0 Search vendor "Ruby-lang" for product "Ruby" and version "2.0.0"		rc1		Affected
Ruby-lang Search vendor "Ruby-lang"		Ruby Search vendor "Ruby-lang" for product "Ruby"				2.0.0 Search vendor "Ruby-lang" for product "Ruby" and version "2.0.0"		rc2		Affected