CVE-2013-1812

Severity

43%

Complexity

86%

Confidentiality

48%

The ruby-openid gem before 2.2.2 for Ruby allows remote OpenID providers to cause a denial of service (CPU consumption) via (1) a large XRDS document or (2) an XML Entity Expansion (XEE) attack.

The ruby-openid gem before 2.2.2 for Ruby allows remote OpenID providers to cause a denial of service (CPU consumption) via (1) a large XRDS document or (2) an XML Entity Expansion (XEE) attack.

CVSS 2.0 Base Score 4.3. CVSS Attack Vector: network. CVSS Attack Complexity: medium. CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P).

Overview

First reported 11 years ago

2013-12-12 18:55:00

Last updated 11 years ago

2013-12-13 16:12:00

Affected Software

Fedora 17

17

Fedora 18

18

janrain ruby-openid 2.2.0 for Ruby

2.2.0
ruby

References

FEDORA-2013-20260

FEDORA-2013-20238

[oss-security] 20130302 Re: CVE request: ruby-openid XML denial of service attack

Patch

https://bugzilla.redhat.com/show_bug.cgi?id=918134

https://github.com/openid/ruby-openid/blob/master/CHANGELOG.md

https://github.com/openid/ruby-openid/commit/a3693cef06049563f5b4e4824f4d3211288508ed

Exploit, Patch

https://github.com/openid/ruby-openid/pull/43

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.