CVE-2013-1856

Name of the Vulnerable Software and Affected Versions Ruby on Rails versions 3.0.x through 3.1.11 Ruby on Rails versions 3.2.x through 3.2.12

Description The issue allows remote attackers to read arbitrary files or cause a denial of service via vectors involving an external DTD or an external entity declaration in conjunction with an entity reference, due to the ActiveSupport::XmlMini JDOM backend not properly restricting the capabilities of the XML parser when JRuby is used.

Recommendations For Ruby on Rails versions 3.0.x through 3.1.11, update to version 3.1.12 or later. For Ruby on Rails versions 3.2.x through 3.2.12, update to version 3.2.13 or later.