Willis Vandevanter

**Name of the Vulnerable Software and Affected Versions** Ruby versions 1.9.x through 1.9.3-p549 Ruby versions 2.0.x through 2.0.0-p593 Ruby versions 2.1.x through 2.1.3 **Description** The issue allows remote attackers to cause a denial of service, specifically memory consumption, by exploiting the REXML parser in Ruby through a crafted XML document. This type of attack is known as an XML Entity Expansion (XEE) attack. **Recommendations** For Ruby versions 1.9.x through 1.9.3-p549, update to version 1.9.3-p550 or later. For Ruby versions 2.0.x through 2.0.0-p593, update to version 2.0.0-p594 or later. For Ruby versions 2.1.x through 2.1.3, update to version 2.1.4 or later.