ADVISORIES
- CVE-2013-1856 (NVD)
- GHSA-9c2j-593q-3g82
- OSVDB-91451
GEM
FRAMEWORK
PLATFORM
SEVERITY
CVSS v2.0: 7.8 (High)
UNAFFECTED VERSIONS
- ~> 2.3.0
PATCHED VERSIONS
- ~> 3.1.12
- >= 3.2.13
DESCRIPTION
The ActiveSupport XML parsing functionality supports multiple pluggable backends. One backend supported for JRuby users is ActiveSupport::XmlMini_JDOM which makes use of the javax.xml.parsers.DocumentBuilder class. In some JVM configurations the default settings of that class can allow an attacker to construct XML which, when parsed, will contain the contents of arbitrary URLs including files from the application server. They may also allow for various denial of service attacks. Action Pack