CVE-2014-8080

Description

The REXML parser in Ruby 1.9.x before 1.9.3-p550, 2.0.x before 2.0.0-p594, and 2.1.x before 2.1.4 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document, aka an XML Entity Expansion (XEE) attack.

CVSS Metrics

• v2.0•MEDIUM•Score: 5AV:N/AC:L/Au:N/C:N/I:N/A:P

EPSS Trends

Current EPSS score: 15.63%• Percentile: 95%

Affected Systems

• canonical•ubuntu_linux

  12.04 | 14.04 | 14.10

• opensuse•opensuse

  12.3 | 13.1

• redhat•enterprise_linux

  6.0 | 7.0

• ruby-lang•ruby

  ≤ 1.9.3 | 1.9.3 | 1.9.3:p0 | 1.9.3:p125 | 1.9.3:p194 | 1.9.3:p286 | 1.9.3:p383 | 1.9.3:p385 | 1.9.3:p392 | 1.9.3:p426 | 1.9.3:p429 | 1.9.3:p448 | 1.9.3:p545 | 1.9.3:p547 | 2.0.0 | 2.0.0:p0 | 2.0.0:p195 | 2.0.0:p247 | 2.0.0:p451 | 2.0.0:p481 | 2.0.0:p576 | 2.1.1 | 2.1.2 | 2.1.3

References (20)

• http://secunia.com/advisories/61607
• http://lists.opensuse.org/opensuse-updates/2014-12/msg00035.html
• http://advisories.mageia.org/MGASA-2014-0443.html
• http://rhn.redhat.com/errata/RHSA-2014-1912.html
• http://www.debian.org/security/2015/dsa-3159
• http://secunia.com/advisories/62050
• http://lists.apple.com/archives/security-announce/2015/Sep/msg00008.html
• http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html
• http://rhn.redhat.com/errata/RHSA-2014-1913.html
• https://www.ruby-lang.org/en/news/2014/10/27/rexml-dos-cve-2014-8080/
• https://support.apple.com/HT205267
• http://rhn.redhat.com/errata/RHSA-2014-1911.html
• http://www.securityfocus.com/bid/70935
• http://www.debian.org/security/2015/dsa-3157
• http://www.ubuntu.com/usn/USN-2397-1
• http://secunia.com/advisories/62748
• http://www.mandriva.com/security/advisories?name=MDVSA-2015:129
• http://lists.opensuse.org/opensuse-updates/2015-01/msg00004.html
• http://rhn.redhat.com/errata/RHSA-2014-1914.html
• http://lists.opensuse.org/opensuse-updates/2015-01/msg00000.html