CVE-2014-8090

CVE Details

Release Date:2014-11-13
Impact:Moderate What is this?

Description


The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.xbefore 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption) a crafted XML document containing an empty string in an entity that is used in a large number of nested entity references, aka an XML Entity Expansion (XEE) attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-1821 and CVE-2014-8080.

See more information about CVE-2014-8090 from MITRE CVE dictionary and NIST NVD


NOTE: The following CVSS metrics and score provided are preliminary and subject to review.


CVSS v2 metrics

Base Score: 4.3
Vector String: AV:N/AC:M/Au:N/C:N/I:N/A:P
Version: 2.0
Attack Vector: Network
Attack Complexity: Medium
Authentication: None
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Partial

Errata information


PlatformErrataRelease Date
Oracle Linux version 6 (ruby)ELSA-2014-19112014-11-26
Oracle Linux version 6 (ruby193-ruby)ELSA-2014-19132016-02-04
Oracle Linux version 7 (ruby)ELSA-2014-19122014-11-26


This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections:

software.hardware.complete