multi_xml Gem for Ruby XML Parameter Parsing Remote Command Execution
Published: January 11, 2013
SECURITY IDENTIFIERS
- CVE: CVE-2013-0175 (NVD)
- GHSA: GHSA-pchc-949f-53m5
- OSVDB: OSVDB-89148
GEM
PATCHED VERSIONS
>= 0.5.2
DESCRIPTION
The multi_xml Gem for Ruby contains a flaw that is triggered when an error occurs during the parsing of the 'XML' parameter. With a crafted request containing arbitrary symbol and yaml types, a remote attacker can execute arbitrary commands.