Description
The ruby-openid gem before 2.2.2 for Ruby allows remote OpenID providers to cause a denial of service (CPU consumption) via (1) a large XRDS document or (2) an XML Entity Expansion (XEE) attack.
References (7)
Core 7
Core References
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=918134
Various Sources x_refsource_confirm
https://github.com/openid/ruby-openid/blob/master/CHANGELOG.md
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2013-November/120361.html
Issue Tracking x_refsource_confirm
https://github.com/openid/ruby-openid/pull/43
Exploit, Patch x_refsource_confirm
https://github.com/openid/ruby-openid/commit/a3693cef06049563f5b4e4824f4d3211288508ed
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2013-November/120204.html
Patch mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2013/03/03/8
Scores
EPSS
0.0053
EPSS Percentile
67.5%
Details
CWE
CWE-399
Status
published
Products (5)
fedoraproject/fedora
17
fedoraproject/fedora
18
janrain/ruby-openid
2.2.0
janrain/ruby-openid
< 2.2.1
rubygems/ruby-openid
0 - 2.2.2RubyGems
Published
Dec 12, 2013
Tracked Since
Feb 18, 2026