CVE-2013-0175

Name of the Vulnerable Software and Affected Versions multi xml gem version 0.5.2 Grape versions prior to 0.2.6

Description The issue allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service involving nested XML entity references. This can be achieved by leveraging support for YAML type conversion or Symbol type conversion.

Recommendations For multi xml gem version 0.5.2, update to a version that properly restricts casts of string values. For Grape versions prior to 0.2.6, update to version 0.2.6 or later to mitigate the risk of object-injection attacks and denial of service. As a temporary workaround, consider disabling YAML type conversion and Symbol type conversion until a patch is available.