Description
The ActiveSupport::XmlMini_JDOM backend in lib/active_support/xml_mini/jdom.rb in the Active Support component in Ruby on Rails 3.0.x and 3.1.x before 3.1.12 and 3.2.x before 3.2.13, when JRuby is used, does not properly restrict the capabilities of the XML parser, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving (1) an external DTD or (2) an external entity declaration in conjunction with an entity reference.
Analysis
No analysis available yet.
Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).
| Vendor | Product | Default status | Versions | ||||||
|---|---|---|---|---|---|---|---|---|---|
| n/a | n/a | affected |
|
Configuration 1 [-]
|
No data.
No data available yet.
Remediation
No remediation available yet.
Tracking
Sign in to view the affected projects.
Advisories
| Source | ID | Title |
|---|---|---|
 EUVD |
EUVD-2017-0202 | The ActiveSupport::XmlMini_JDOM backend in lib/active_support/xml_mini/jdom.rb in the Active Support component in Ruby on Rails 3.0.x and 3.1.x before 3.1.12 and 3.2.x before 3.2.13, when JRuby is used, does not properly restrict the capabilities of the XML parser, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving (1) an external DTD or (2) an external entity declaration in conjunction with an entity reference. |
 Github GHSA |
GHSA-9c2j-593q-3g82 | activesupport Improper Input Validation vulnerability |
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: redhat
Published:
Updated: 2024-08-06T15:20:35.152Z
Reserved: 2013-02-19T00:00:00.000Z
Link: CVE-2013-1856
Vulnrichment
No data.
NVD
Status : Modified
Published: 2013-03-19T22:55:01.070
Modified: 2026-04-29T01:13:23.040
Link: CVE-2013-1856
Redhat
No data.
OpenCVE Enrichment
No data.
Weaknesses