CVE-2013-0175
N/A
N/A
Summary
multi_xml gem 0.5.2 for Ruby, as used in Grape before 0.2.6 and possibly other products, does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| n/a | n/a | n/a | affected |
Weaknesses
- n/a
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/sferik/multi_xml/pull/34
- https://gist.github.com/nate/d7f6d9f4925f413621aa
- http://www.openwall.com/lists/oss-security/2013/01/11/9
- https://groups.google.com/forum/?fromgroups=#%21topic/ruby-grape/fthDkMgIOa0
- https://news.ycombinator.com/item?id=5040457
References
- https://github.com/sferik/multi_xml/pull/34
- https://gist.github.com/nate/d7f6d9f4925f413621aa
- http://www.openwall.com/lists/oss-security/2013/01/11/9
- https://groups.google.com/forum/?fromgroups=#%21topic/ruby-grape/fthDkMgIOa0
- https://news.ycombinator.com/item?id=5040457
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.