Home

CVE-2014-8090

Description

The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption) a crafted XML document containing an empty string in an entity that is used in a large number of nested entity references, aka an XML Entity Expansion (XEE) attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-1821 and CVE-2014-8080.

Risk Information

Base Score
9.8
MODERATE
Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
Exploitation Probability
10.488

Associated Vulnerability

VulnerabilityOS Platform
Multiple vulnerabilities are fixed in OS X El Capitan 10.11.6 UpdateMac
Multiple vulnerabilities are fixed in OS X El Capitan 10.11.6 Combo UpdateMac
Multiple vulnerabilities are fixed in OS X El Capitan 10.11.5 UpdateMac
Multiple vulnerabilities are fixed in OS X El Capitan 10.11.5 Combo UpdateMac
Multiple vulnerabilities are fixed in OS X El Capitan 10.11.4 UpdateMac
Multiple vulnerabilities are fixed in OS X El Capitan 10.11.4 Combo UpdateMac
Multiple vulnerabilities are fixed in OS X El Capitan 10.11.3 UpdateMac
Multiple vulnerabilities are fixed in OS X El Capitan 10.11.2 UpdateMac
Multiple vulnerabilities are fixed in OS X El Capitan 10.11.1 UpdateMac
Object-oriented scripting language (USN-2412-1) libruby1.9.1_1.9.3.0-1ubuntu2.10_i386.debLinux
Object-oriented scripting language (USN-2412-1) libruby1.9.1_1.9.3.0-1ubuntu2.10_amd64.debLinux
(RHSA-2014:1911) Moderate: ruby security update ruby-1.8.7.374-3.el6_6.i686.rpmLinux
(RHSA-2014:1911) Moderate: ruby security update ruby-1.8.7.374-3.el6_6.x86_64.rpmLinux
(RHSA-2014:1911) Moderate: ruby security update ruby-devel-1.8.7.374-3.el6_6.i686.rpmLinux
(RHSA-2014:1911) Moderate: ruby security update ruby-devel-1.8.7.374-3.el6_6.x86_64.rpmLinux
(RHSA-2014:1911) Moderate: ruby security update ruby-docs-1.8.7.374-3.el6_6.i686.rpmLinux
(RHSA-2014:1911) Moderate: ruby security update ruby-docs-1.8.7.374-3.el6_6.x86_64.rpmLinux
(RHSA-2014:1911) Moderate: ruby security update ruby-irb-1.8.7.374-3.el6_6.i686.rpmLinux
(RHSA-2014:1911) Moderate: ruby security update ruby-irb-1.8.7.374-3.el6_6.x86_64.rpmLinux
(RHSA-2014:1911) Moderate: ruby security update ruby-libs-1.8.7.374-3.el6_6.i686.rpmLinux
(RHSA-2014:1911) Moderate: ruby security update ruby-libs-1.8.7.374-3.el6_6.x86_64.rpmLinux
(RHSA-2014:1911) Moderate: ruby security update ruby-rdoc-1.8.7.374-3.el6_6.i686.rpmLinux
(RHSA-2014:1911) Moderate: ruby security update ruby-rdoc-1.8.7.374-3.el6_6.x86_64.rpmLinux
(RHSA-2014:1911) Moderate: ruby security update ruby-ri-1.8.7.374-3.el6_6.i686.rpmLinux
(RHSA-2014:1911) Moderate: ruby security update ruby-ri-1.8.7.374-3.el6_6.x86_64.rpmLinux
(RHSA-2014:1911) Moderate: ruby security update ruby-static-1.8.7.374-3.el6_6.i686.rpmLinux
(RHSA-2014:1911) Moderate: ruby security update ruby-static-1.8.7.374-3.el6_6.x86_64.rpmLinux
(RHSA-2014:1911) Moderate: ruby security update ruby-tcltk-1.8.7.374-3.el6_6.i686.rpmLinux
(RHSA-2014:1911) Moderate: ruby security update ruby-tcltk-1.8.7.374-3.el6_6.x86_64.rpmLinux
(RHSA-2014:1912) Moderate: ruby security update ruby-2.0.0.353-22.el7_0.x86_64.rpmLinux
(RHSA-2014:1912) Moderate: ruby security update ruby-devel-2.0.0.353-22.el7_0.x86_64.rpmLinux
(RHSA-2014:1912) Moderate: ruby security update ruby-doc-2.0.0.353-22.el7_0.noarch.rpmLinux
(RHSA-2014:1912) Moderate: ruby security update ruby-irb-2.0.0.353-22.el7_0.noarch.rpmLinux
(RHSA-2014:1912) Moderate: ruby security update ruby-libs-2.0.0.353-22.el7_0.i686.rpmLinux
(RHSA-2014:1912) Moderate: ruby security update ruby-libs-2.0.0.353-22.el7_0.x86_64.rpmLinux
(RHSA-2014:1912) Moderate: ruby security update ruby-tcltk-2.0.0.353-22.el7_0.x86_64.rpmLinux
(RHSA-2014:1912) Moderate: ruby security update rubygem-bigdecimal-1.2.0-22.el7_0.x86_64.rpmLinux
(RHSA-2014:1912) Moderate: ruby security update rubygem-io-console-0.4.2-22.el7_0.x86_64.rpmLinux
(RHSA-2014:1912) Moderate: ruby security update rubygem-json-1.7.7-22.el7_0.x86_64.rpmLinux
(RHSA-2014:1912) Moderate: ruby security update rubygem-minitest-4.3.2-22.el7_0.noarch.rpmLinux
(RHSA-2014:1912) Moderate: ruby security update rubygem-psych-2.0.0-22.el7_0.x86_64.rpmLinux
(RHSA-2014:1912) Moderate: ruby security update rubygem-rake-0.9.6-22.el7_0.noarch.rpmLinux
(RHSA-2014:1912) Moderate: ruby security update rubygem-rdoc-4.0.0-22.el7_0.noarch.rpmLinux
(RHSA-2014:1912) Moderate: ruby security update rubygems-2.0.14-22.el7_0.noarch.rpmLinux
(RHSA-2014:1912) Moderate: ruby security update rubygems-devel-2.0.14-22.el7_0.noarch.rpmLinux
Ruby193-ruby update (ELSA-2014-1913) ruby193-ruby-1.9.3.484-50.0.1.el6.x86_64.rpmLinux
Ruby193-ruby-devel update (ELSA-2014-1913) ruby193-ruby-devel-1.9.3.484-50.0.1.el6.x86_64.rpmLinux
Ruby193-ruby-doc update (ELSA-2014-1913) ruby193-ruby-doc-1.9.3.484-50.0.1.el6.x86_64.rpmLinux
Ruby193-ruby-libs update (ELSA-2014-1913) ruby193-ruby-libs-1.9.3.484-50.0.1.el6.x86_64.rpmLinux
Ruby193-ruby-tcltk update (ELSA-2014-1913) ruby193-ruby-tcltk-1.9.3.484-50.0.1.el6.x86_64.rpmLinux
Ruby193-rubygem-bigdecimal update (ELSA-2014-1913) ruby193-rubygem-bigdecimal-1.1.0-50.0.1.el6.x86_64.rpmLinux
Ruby193-rubygem-io-console update (ELSA-2014-1913) ruby193-rubygem-io-console-0.3-50.0.1.el6.x86_64.rpmLinux
Ruby193-rubygem-json update (ELSA-2014-1913) ruby193-rubygem-json-1.5.5-50.0.1.el6.x86_64.rpmLinux
Ruby193-rubygem-rdoc update (ELSA-2014-1913) ruby193-rubygem-rdoc-3.9.5-50.0.1.el6.x86_64.rpmLinux
Ruby193-ruby-irb update (ELSA-2014-1913) ruby193-ruby-irb-1.9.3.484-50.0.1.el6.noarch.rpmLinux
Ruby193-rubygem-minitest update (ELSA-2014-1913) ruby193-rubygem-minitest-2.5.1-50.0.1.el6.noarch.rpmLinux
Ruby193-rubygem-rake update (ELSA-2014-1913) ruby193-rubygem-rake-0.9.2.2-50.0.1.el6.noarch.rpmLinux
Ruby193-rubygems update (ELSA-2014-1913) ruby193-rubygems-1.8.23-50.0.1.el6.noarch.rpmLinux
Ruby193-rubygems-devel update (ELSA-2014-1913) ruby193-rubygems-devel-1.8.23-50.0.1.el6.noarch.rpmLinux
(CESA-2014:1912) Moderate: ruby security update ruby-2.0.0.353-22.el7_0.x86_64.rpmLinux
(CESA-2014:1912) Moderate: ruby security update ruby-devel-2.0.0.353-22.el7_0.x86_64.rpmLinux
(CESA-2014:1912) Moderate: ruby security update ruby-doc-2.0.0.353-22.el7_0.noarch.rpmLinux
(CESA-2014:1912) Moderate: ruby security update ruby-irb-2.0.0.353-22.el7_0.noarch.rpmLinux
(CESA-2014:1912) Moderate: ruby security update ruby-libs-2.0.0.353-22.el7_0.i686.rpmLinux
(CESA-2014:1912) Moderate: ruby security update ruby-libs-2.0.0.353-22.el7_0.x86_64.rpmLinux
(CESA-2014:1912) Moderate: ruby security update ruby-tcltk-2.0.0.353-22.el7_0.x86_64.rpmLinux
(CESA-2014:1912) Moderate: ruby security update rubygem-bigdecimal-1.2.0-22.el7_0.x86_64.rpmLinux
(CESA-2014:1912) Moderate: ruby security update rubygem-io-console-0.4.2-22.el7_0.x86_64.rpmLinux
(CESA-2014:1912) Moderate: ruby security update rubygem-json-1.7.7-22.el7_0.x86_64.rpmLinux
(CESA-2014:1912) Moderate: ruby security update rubygem-minitest-4.3.2-22.el7_0.noarch.rpmLinux
(CESA-2014:1912) Moderate: ruby security update rubygem-psych-2.0.0-22.el7_0.x86_64.rpmLinux
(CESA-2014:1912) Moderate: ruby security update rubygem-rake-0.9.6-22.el7_0.noarch.rpmLinux
(CESA-2014:1912) Moderate: ruby security update rubygem-rdoc-4.0.0-22.el7_0.noarch.rpmLinux
(CESA-2014:1912) Moderate: ruby security update rubygems-2.0.14-22.el7_0.noarch.rpmLinux
(CESA-2014:1912) Moderate: ruby security update rubygems-devel-2.0.14-22.el7_0.noarch.rpmLinux

Patch Details

Click to see the patches provided by ManageEngine for this CVE
Patch IDPatch Description
PATCH-600753OS X El Capitan 10.11.6 Update
PATCH-600754OS X El Capitan 10.11.6 Combo Update
PATCH-600753OS X El Capitan 10.11.6 Update
PATCH-600754OS X El Capitan 10.11.6 Combo Update
PATCH-600753OS X El Capitan 10.11.6 Update
PATCH-600754OS X El Capitan 10.11.6 Combo Update
PATCH-600753OS X El Capitan 10.11.6 Update
PATCH-600753OS X El Capitan 10.11.6 Update
PATCH-600753OS X El Capitan 10.11.6 Update

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234