CVE-2014-8090

Severity

50%

Complexity

99%

Confidentiality

48%

CWE-611: Improper Restriction of XML External Entity Reference ('XXE')

The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption) a crafted XML document containing an empty string in an entity that is used in a large number of nested entity references, aka an XML Entity Expansion (XEE) attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-1821 and CVE-2014-8080.

CWE-611: Improper Restriction of XML External Entity Reference ('XXE')

CVSS 2.0 Base Score 5. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P).

Overview

First reported 10 years ago

2014-11-21 15:59:00

Last updated 8 years ago

2017-01-03 02:59:00

Affected Software

ruby-lang Ruby 1.9.3

1.9.3

ruby-lang Ruby 1.9.3-p0

1.9.3

ruby-lang Ruby 1.9.3-p125

1.9.3

ruby-lang Ruby 1.9.3-p194

1.9.3

ruby-lang Ruby 1.9.3-p286

1.9.3

ruby-lang Ruby 1.9.3-p383

1.9.3

ruby-lang Ruby 1.9.3-p385

1.9.3

ruby-lang Ruby 1.9.3-p392

1.9.3

ruby-lang Ruby 1.9.3-p426

1.9.3

Ruby-lang Ruby 1.9.3-p429

1.9.3

Ruby-lang Ruby 2.0.0

2.0.0

Ruby-lang Ruby 2.0.0-p0

2.0.0

Ruby-lang Ruby 2.0.0-p195

2.0.0

Ruby-lang Ruby 2.0.0-p247

2.0.0

Ruby-lang Ruby 2.0.0 p451

2.0.0

Ruby-lang Ruby 2.0.0 p481

2.0.0

Ruby-lang Ruby 2.0.0 p576

2.0.0

Ruby-lang Ruby 2.0.0 p594

2.0.0

ruby-lang Ruby 2.1.1

2.1.1

Ruby-lang Ruby 2.1.2

2.1.2

Ruby-lang Ruby 2.1.3

2.1.3

Ruby-lang Ruby 2.1.4

2.1.4

References

http://advisories.mageia.org/MGASA-2014-0472.html

APPLE-SA-2015-09-30-3

openSUSE-SU-2014:1589

openSUSE-SU-2015:0002

openSUSE-SU-2015:0007

RHSA-2014:1911

RHSA-2014:1912

RHSA-2014:1913

RHSA-2014:1914

59948

62050

62748

DSA-3157

DSA-3159

MDVSA-2015:129

http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html

71230

USN-2412-1

Patch, Vendor Advisory

https://support.apple.com/HT205267

https://www.ruby-lang.org/en/news/2014/11/13/rexml-dos-cve-2014-8090/

Exploit, Vendor Advisory

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.