CVE-2013-1856
Ruby on Rails 3.0.x-3.1.x < 3.1.12 and 3.2.x < 3.2.13 - XML External Entity Injection via ActiveSupport::XmlMini_JDOM
Title source: llmDescription
The ActiveSupport::XmlMini_JDOM backend in lib/active_support/xml_mini/jdom.rb in the Active Support component in Ruby on Rails 3.0.x and 3.1.x before 3.1.12 and 3.2.x before 3.2.13, when JRuby is used, does not properly restrict the capabilities of the XML parser, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving (1) an external DTD or (2) an external entity declaration in conjunction with an entity reference.
References (5)
Core 5
Core References
Mailing List mailing-list
x_refsource_mlist
https://groups.google.com/group/rubyonrails-security/msg/6c2482d4ed1545e6?dmode=source&output=gplain
Various Sources x_refsource_confirm
http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/
Mailing List vendor-advisory
x_refsource_apple
http://lists.apple.com/archives/security-announce/2013/Oct/msg00006.html
Vendor Advisory x_refsource_confirm
http://support.apple.com/kb/HT5784
Mailing List vendor-advisory
x_refsource_apple
http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html
Scores
EPSS
0.0071
EPSS Percentile
72.3%
Details
CWE
CWE-20
Status
published
Products (26)
rubygems/activesupport
3.0.0 - 3.1.12RubyGems
rubyonrails/rails
3.1.0 (10 CPE variants)
rubyonrails/rails
3.1.1 (4 CPE variants)
rubyonrails/rails
3.1.2 (3 CPE variants)
rubyonrails/rails
3.1.3
rubyonrails/rails
3.1.4 (2 CPE variants)
rubyonrails/rails
3.1.5 (2 CPE variants)
rubyonrails/rails
3.1.6
rubyonrails/rails
3.1.7
rubyonrails/rails
3.1.8
... and 16 more
Published
Mar 19, 2013
Tracked Since
Feb 18, 2026