5

CVE-2008-3790

Exploit
The REXML module in Ruby 1.8.6 through 1.8.6-p287, 1.8.7 through 1.8.7-p72, and 1.9 allows context-dependent attackers to cause a denial of service (CPU consumption) via an XML document with recursively nested entities, aka an "XML entity explosion."
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Ruby-langRuby Version1.8.6
Ruby-langRuby Version1.8.6 Updatep110
Ruby-langRuby Version1.8.6 Updatep111
Ruby-langRuby Version1.8.6 Updatep114
Ruby-langRuby Version1.8.6 Updatep230
Ruby-langRuby Version1.8.6 Updatep286
Ruby-langRuby Version1.8.6 Updatep287
Ruby-langRuby Version1.8.6 Updatep36
Ruby-langRuby Version1.8.6 Updatepreview1
Ruby-langRuby Version1.8.6 Updatepreview2
Ruby-langRuby Version1.8.6 Updatepreview3
Ruby-langRuby Version1.8.7
Ruby-langRuby Version1.8.7 Updatep17
Ruby-langRuby Version1.8.7 Updatep22
Ruby-langRuby Version1.8.7 Updatep71
Ruby-langRuby Version1.8.7 Updatep72
Ruby-langRuby Version1.8.7 Updatepreview1
Ruby-langRuby Version1.8.7 Updatepreview2
Ruby-langRuby Version1.8.7 Updatepreview3
Ruby-langRuby Version1.8.7 Updatepreview4
Ruby-langRuby Version1.9
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 15.2% 0.963
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5 10 2.9
AV:N/AC:L/Au:N/C:N/I:N/A:P
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

http://lists.apple.com/archives/security-announce/2009/May/msg00002.html
http://secunia.com/advisories/35074
http://support.apple.com/kb/HT3549
http://www.us-cert.gov/cas/techalerts/TA09-133A.html
US Government Resource
http://www.vupen.com/english/advisories/2009/1297
http://secunia.com/advisories/32371
http://www.redhat.com/support/errata/RHSA-2008-0897.html
http://secunia.com/advisories/33178
http://security.gentoo.org/glsa/glsa-200812-17.xml
http://secunia.com/advisories/32219
https://usn.ubuntu.com/651-1/
http://secunia.com/advisories/32165
http://secunia.com/advisories/32255
http://secunia.com/advisories/32256
http://support.avaya.com/elmodocs2/security/ASA-2008-424.htm
http://www.debian.org/security/2008/dsa-1651
http://www.debian.org/security/2008/dsa-1652
https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00259.html
https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00299.html
http://secunia.com/advisories/33185
https://usn.ubuntu.com/691-1/
http://groups.google.com/group/comp.lang.ruby/browse_thread/thread/19f69e8a081fc0d1/e138e014b74352ca
http://secunia.com/advisories/31602
http://weblog.rubyonrails.org/2008/9/3/rails-2-0-4-maintenance-release
http://www.openwall.com/lists/oss-security/2008/08/25/4
http://www.openwall.com/lists/oss-security/2008/08/26/1
http://www.openwall.com/lists/oss-security/2008/08/26/4
http://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/
Patch
Exploit
http://www.ruby-lang.org/security/20080823rexml/rexml-expansion-fix.rb
Patch
http://www.securityfocus.com/bid/30802
http://www.securitytracker.com/id?1020735
http://www.vupen.com/english/advisories/2008/2428
http://www.vupen.com/english/advisories/2008/2483
https://exchange.xforce.ibmcloud.com/vulnerabilities/44628
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10393