PT-2014-8404 · Ruby+5 · Ruby+5

Willis Vandevanter

Published

2014-10-29

Updated

2018-10-30

CVE-2014-8080

CVSS v2.0

5.0

Medium

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:P

Name of the Vulnerable Software and Affected Versions Ruby versions 1.9.x through 1.9.3-p549 Ruby versions 2.0.x through 2.0.0-p593 Ruby versions 2.1.x through 2.1.3

Description The issue allows remote attackers to cause a denial of service, specifically memory consumption, by exploiting the REXML parser in Ruby through a crafted XML document. This type of attack is known as an XML Entity Expansion (XEE) attack.

Recommendations For Ruby versions 1.9.x through 1.9.3-p549, update to version 1.9.3-p550 or later. For Ruby versions 2.0.x through 2.0.0-p593, update to version 2.0.0-p594 or later. For Ruby versions 2.1.x through 2.1.3, update to version 2.1.4 or later.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

ALT-PU-2016-2061

CESA-2014_1911

CESA-2014_1912

CVE-2014-8080

DLA-200-1

DLA-88-1

DSA-3157-1

DSA-3159-1

ELSA-2014-1911

ELSA-2014-1912

ELSA-2014-1913

MGASA-2014-0443

RHSA-2014:1911

RHSA-2014:1912

RHSA-2014:1913

RHSA-2014:1914

RHSA-2014_1911

RHSA-2014_1912

RHSA-2026:7305

RHSA-2026:7307

RHSA-2026:8838

SUSE-SU-2015_0093-1

SUSE-SU-2015_0157-1

USN-2397-1

Affected Products

Alt Linux

Centos

Red Hat

Ruby

Suse

Ubuntu

PT-2014-8404 · Ruby+5 · Ruby+5

CVE-2014-8080

Related Identifiers

Affected Products

References · 37