what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 12 of 12 RSS Feed

CVE-2013-1821

Status Candidate

Overview

lib/rexml/text.rb in the REXML parser in Ruby before 1.9.3-p392 allows remote attackers to cause a denial of service (memory consumption and crash) via crafted text nodes in an XML document, aka an XML Entity Expansion (XEE) attack.

Related Files

Gentoo Linux Security Advisory 201412-27
Posted Dec 15, 2014
Authored by Gentoo | Site security.gentoo.org

Gentoo Linux Security Advisory 201412-27 - Multiple vulnerabilities have been found in Ruby, allowing context-dependent attackers to cause a Denial of Service condition. Versions less than 2.0.0_p598 are affected.

tags | advisory, denial of service, vulnerability, ruby
systems | linux, gentoo
advisories | CVE-2011-0188, CVE-2011-1004, CVE-2011-1005, CVE-2011-4815, CVE-2012-4481, CVE-2012-5371, CVE-2013-0269, CVE-2013-1821, CVE-2013-4164, CVE-2014-8080, CVE-2014-8090
SHA-256 | 54e66264d3d6d38c3086840b65a1d59298b94700ea2d898a1673e706acdba6e8
Debian Security Advisory 2809-1
Posted Dec 5, 2013
Authored by Debian | Site debian.org

Debian Linux Security Advisory 2809-1 - Several vulnerabilities have been discovered in the interpreter for the Ruby language.

tags | advisory, vulnerability, ruby
systems | linux, debian
advisories | CVE-2013-1821, CVE-2013-4073, CVE-2013-4164
SHA-256 | 8cf75779505f2c2d90a0e3c0b819ef71e8ce28e7a5c7874d20b80f024dd05ae3
Red Hat Security Advisory 2013-1185-01
Posted Aug 29, 2013
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2013-1185-01 - Red Hat JBoss Fuse 6.0.0, based on Apache ServiceMix, provides an integration platform. Red Hat JBoss Fuse 6.0.0 patch 2 is an update to Red Hat JBoss Fuse 6.0.0 and includes bug fixes.

tags | advisory
systems | linux, redhat
advisories | CVE-2013-0269, CVE-2013-1768, CVE-2013-1821, CVE-2013-2160
SHA-256 | 0939186bded3bc21379c4815dec6ff27fa7ec3cd68880f3f51e0f782423a24ac
Debian Security Advisory 2738-1
Posted Aug 19, 2013
Authored by Debian | Site debian.org

Debian Linux Security Advisory 2738-1 - Several vulnerabilities have been discovered in the interpreter for the Ruby language, which may lead to denial of service and other security problems.

tags | advisory, denial of service, vulnerability, ruby
systems | linux, debian
advisories | CVE-2013-1821, CVE-2013-4073
SHA-256 | 5ee13cb1795d7a48b2912c75782eed27a5d04bc434a31b0a2a81f910b352d4a0
Red Hat Security Advisory 2013-1147-01
Posted Aug 9, 2013
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2013-1147-01 - Red Hat JBoss SOA Platform is the next-generation ESB and business process automation infrastructure. Red Hat JBoss SOA Platform allows IT to leverage existing, modern, and future integration methodologies to dramatically improve business process execution speed and quality. This roll up patch serves as a cumulative upgrade for Red Hat JBoss SOA Platform 5.3.1. It includes various bug fixes. The following security issues are also fixed with this release: The Jakarta Commons HttpClient component did not verify that the server hostname matched the domain name in the subject's Common Name or subjectAltName field in X.509 certificates. This could allow a man-in-the-middle attacker to spoof an SSL server if they had a certificate that was valid for any domain name.

tags | advisory, spoof
systems | linux, redhat
advisories | CVE-2012-5783, CVE-2013-0269, CVE-2013-1821
SHA-256 | 11be102b169787b03d6c2152f3add04d435de5e2cb57176df49df6ccdaf958a5
Mandriva Linux Security Advisory 2013-200
Posted Jul 26, 2013
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2013-200 - The safe-level feature in Ruby 1.8.7 allows context-dependent attackers to modify strings via the NameError#to_s method when operating on Ruby objects. NOTE: this issue is due to an incomplete fix for CVE-2011-1005. lib/rexml/text.rb in the REXML parser in Ruby before 1.9.3-p392 allows remote attackers to cause a denial of service (memory consumption and crash) via crafted text nodes in an XML document, aka an XML Entity Expansion attack. A flaw was found in Ruby's SSL client's hostname identity check when handling certificates that contain hostnames with NULL bytes. An attacker could potentially exploit this flaw to conduct man-in-the-middle attacks to spoof SSL servers. Note that to exploit this issue, an attacker would need to obtain a carefully-crafted certificate signed by an authority that the client trusts. The updated packages have been patched to correct these issues.

tags | advisory, remote, denial of service, spoof, ruby
systems | linux, mandriva
advisories | CVE-2012-4481, CVE-2013-1821, CVE-2013-4073
SHA-256 | 736656b494186a6b0fd429a99fa38e28936ba86fe90a953f36f4d67cff987694
Red Hat Security Advisory 2013-1028-01
Posted Jul 9, 2013
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2013-1028-01 - Fuse ESB Enterprise, based on Apache ServiceMix, provides an integration platform. This release of Fuse ESB Enterprise 7.1.0 roll up patch 1 is an update to Fuse ESB Enterprise 7.1.0 and includes bug fixes.

tags | advisory
systems | linux, redhat
advisories | CVE-2012-5575, CVE-2013-0269, CVE-2013-1821, CVE-2013-2160
SHA-256 | dbfdd55df544378dcc45bbf34e83daecacebea4051e3922e1233975573bd1954
Mandriva Linux Security Advisory 2013-124
Posted Apr 11, 2013
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2013-124 - Shugo Maedo and Vit Ondruch discovered that Ruby incorrectly allowed untainted strings to be modified in protective safe levels. An attacker could use this flaw to bypass intended access restrictions. It was discovered that Ruby's REXML library did not properly restrict XML entity expansion. An attacker could use this flaw to cause a denial of service by tricking a Ruby application using REXML to read text nodes from specially-crafted XML content, which will result in REXML consuming large amounts of system memory.

tags | advisory, denial of service, ruby
systems | linux, mandriva
advisories | CVE-2012-4466, CVE-2012-4481, CVE-2013-1821
SHA-256 | 3e2e417902b29eb528c22b29313b488fc00b3906282a6db4beb95befcf297016
Ubuntu Security Notice USN-1780-1
Posted Mar 26, 2013
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 1780-1 - Ben Murphy discovered that the Ruby REXML library incorrectly handled XML entity expansion. An attacker could use this flaw to cause Ruby to consume large amounts of memory, resulting in a denial of service.

tags | advisory, denial of service, ruby
systems | linux, ubuntu
advisories | CVE-2013-1821
SHA-256 | c6dc7d6236b591435b374ba598fdfef6655065b7422004c2048c7595f92c7408
Slackware Security Advisory - ruby Updates
Posted Mar 17, 2013
Authored by Slackware Security Team | Site slackware.com

Slackware Security Advisory - New ruby packages are available for Slackware 13.1, 13.37, 14.0, and -current to fix security issues. Related CVE Numbers: CVE-2013-0269,CVE-2013-1821.

tags | advisory, ruby
systems | linux, slackware
advisories | CVE-2013-0269, CVE-2013-1821
SHA-256 | 70a8eb7a223701d6486e1e966e766e93b9134439ef37ecbdbb2e91516d3ffa3e
Red Hat Security Advisory 2013-0612-01
Posted Mar 8, 2013
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2013-0612-01 - Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to do system management tasks. It was discovered that Ruby's REXML library did not properly restrict XML entity expansion. An attacker could use this flaw to cause a denial of service by tricking a Ruby application using REXML to read text nodes from specially-crafted XML content, which will result in REXML consuming large amounts of system memory. It was found that the RHSA-2011:0910 update did not correctly fix the CVE-2011-1005 issue, a flaw in the method for translating an exception message into a string in the Exception class. A remote attacker could use this flaw to bypass safe level 4 restrictions, allowing untrusted code to modify arbitrary, trusted strings, which safe level 4 restrictions would otherwise prevent.

tags | advisory, remote, denial of service, arbitrary, ruby
systems | linux, redhat
advisories | CVE-2012-4481, CVE-2013-1821
SHA-256 | 32e3a547a3c0a24367f1996785cb9cda8c3f06349a10fc8e3db711bfb8a5421d
Red Hat Security Advisory 2013-0611-01
Posted Mar 8, 2013
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2013-0611-01 - Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to do system management tasks. It was discovered that Ruby's REXML library did not properly restrict XML entity expansion. An attacker could use this flaw to cause a denial of service by tricking a Ruby application using REXML to read text nodes from specially-crafted XML content, which will result in REXML consuming large amounts of system memory. All users of Ruby are advised to upgrade to these updated packages, which contain backported patches to resolve this issue.

tags | advisory, denial of service, ruby
systems | linux, redhat
advisories | CVE-2013-1821
SHA-256 | c3980a088e566cc19050f1da5ff225025caeb15e2f077158cb8730b7a09d6a12
Page 1 of 1
Back1Next

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close