RubySec

Providing security resources for the Ruby community

CVE-2013-1856 (activesupport): XML Parsing Vulnerability affecting JRuby users

ADVISORIES

GEM

activesupport

FRAMEWORK

rails

SEVERITY

CVSS v2: 7.8

UNAFFECTED VERSIONS

  • ~> 2.3.0

PATCHED VERSIONS

  • ~> 3.1.12
  • >= 3.2.13

DESCRIPTION

The ActiveSupport XML parsing functionality supports multiple pluggable backends. One backend supported for JRuby users is ActiveSupport::XmlMini_JDOM which makes use of the javax.xml.parsers.DocumentBuilder class. In some JVM configurations the default settings of that class can allow an attacker to construct XML which, when parsed, will contain the contents of arbitrary URLs including files from the application server. They may also allow for various denial of service attacks. Action Pack