CVE-2014-8080

Severity

50%

Complexity

99%

Confidentiality

48%

CWE-611: Improper Restriction of XML External Entity Reference ('XXE')

The REXML parser in Ruby 1.9.x before 1.9.3-p550, 2.0.x before 2.0.0-p594, and 2.1.x before 2.1.4 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document, aka an XML Entity Expansion (XEE) attack.

CWE-611: Improper Restriction of XML External Entity Reference ('XXE')

CVSS 2.0 Base Score 5. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P).

Overview

First reported 10 years ago

2014-11-03 16:55:00

Last updated 6 years ago

2018-10-30 16:27:00

Affected Software

OpenSUSE 12.3

12.3

OpenSUSE 13.1

13.1

Canonical Ubuntu Linux 12.04 LTS (Long-Term Support)

12.04

Canonical Ubuntu Linux 14.04 LTS (Long-Term Support)

14.04

Canonical Ubuntu Linux 14.10

14.10

ruby-lang Ruby 1.9.3

1.9.3

ruby-lang Ruby 1.9.3-p0

1.9.3

ruby-lang Ruby 1.9.3-p125

1.9.3

ruby-lang Ruby 1.9.3-p194

1.9.3

ruby-lang Ruby 1.9.3-p286

1.9.3

ruby-lang Ruby 1.9.3-p383

1.9.3

ruby-lang Ruby 1.9.3-p385

1.9.3

ruby-lang Ruby 1.9.3-p392

1.9.3

ruby-lang Ruby 1.9.3-p426

1.9.3

Ruby-lang Ruby 1.9.3-p429

1.9.3

Ruby-lang Ruby 2.0.0

2.0.0

Ruby-lang Ruby 2.0.0-p0

2.0.0

Ruby-lang Ruby 2.0.0-p195

2.0.0

Ruby-lang Ruby 2.0.0-p247

2.0.0

Ruby-lang Ruby 2.0.0 p451

2.0.0

Ruby-lang Ruby 2.0.0 p481

2.0.0

Ruby-lang Ruby 2.0.0 p576

2.0.0

ruby-lang Ruby 2.1.1

2.1.1

Ruby-lang Ruby 2.1.2

2.1.2

Ruby-lang Ruby 2.1.3

2.1.3

Red Hat Enterprise Linux 6.0

6.0

Red Hat Enterprise Linux (RHEL) 7.0 (7)

7.0

References

http://advisories.mageia.org/MGASA-2014-0443.html

APPLE-SA-2015-09-30-3

openSUSE-SU-2014:1589

openSUSE-SU-2015:0002

openSUSE-SU-2015:0007

RHSA-2014:1911

RHSA-2014:1912

RHSA-2014:1913

RHSA-2014:1914

61607

62050

62748

DSA-3157

DSA-3159

MDVSA-2015:129

http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html

70935

USN-2397-1

https://support.apple.com/HT205267

https://www.ruby-lang.org/en/news/2014/10/27/rexml-dos-cve-2014-8080/

Exploit, Vendor Advisory

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.