CVE-2014-8090

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption) a crafted XML document containing an empty string in an entity that is used in a large number of nested entity references, aka an XML Entity Expansion (XEE) attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-1821 and CVE-2014-8080.

References

http://advisories.mageia.org/MGASA-2014-0472.html

http://lists.apple.com/archives/security-announce/2015/Sep/msg00008.html

http://lists.opensuse.org/opensuse-updates/2014-12/msg00035.html

http://lists.opensuse.org/opensuse-updates/2015-01/msg00000.html

http://lists.opensuse.org/opensuse-updates/2015-01/msg00004.html

http://rhn.redhat.com/errata/RHSA-2014-1911.html

http://rhn.redhat.com/errata/RHSA-2014-1912.html

http://rhn.redhat.com/errata/RHSA-2014-1913.html

http://rhn.redhat.com/errata/RHSA-2014-1914.html

http://secunia.com/advisories/59948

http://secunia.com/advisories/62050

http://secunia.com/advisories/62748

http://www.debian.org/security/2015/dsa-3157

http://www.debian.org/security/2015/dsa-3159

http://www.mandriva.com/security/advisories?name=MDVSA-2015:129

http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html

http://www.securityfocus.com/bid/71230

http://www.ubuntu.com/usn/USN-2412-1

https://support.apple.com/HT205267

https://www.ruby-lang.org/en/news/2014/11/13/rexml-dos-cve-2014-8090/

Details

Source: MITRE

Published: 2014-11-21

Updated: 2017-01-03

Risk Information

CVSS v2

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Impact Score: 2.9

Exploitability Score: 10

Severity: MEDIUM

Tenable Plugins

View all (27 total)

IDNameProductFamilySeverity
124931EulerOS Virtualization 3.0.1.0 : ruby (EulerOS-SA-2019-1428)NessusHuawei Local Security Checks
critical
119065EulerOS Virtualization 2.5.1 : ruby (EulerOS-SA-2018-1374)NessusHuawei Local Security Checks
medium
8982Mac OS X < 10.11 Multiple VulnerabilitiesNessus Network MonitorOperating System Detection
critical
86270Mac OS X < 10.11 Multiple Vulnerabilities (GHOST)NessusMacOS X Local Security Checks
critical
82805Debian DLA-200-1 : ruby1.9.1 security updateNessusDebian Local Security Checks
medium
82382Mandriva Linux Security Advisory : ruby (MDVSA-2015:129)NessusMandriva Local Security Checks
medium
82233Debian DLA-88-1 : ruby1.8 security updateNessusDebian Local Security Checks
high
81279Debian DSA-3159-1 : ruby1.8 - security updateNessusDebian Local Security Checks
medium
81250Debian DSA-3157-1 : ruby1.9.1 - security updateNessusDebian Local Security Checks
medium
81040SuSE 11.3 Security Update : Ruby (SAT Patch Number 10126)NessusSuSE Local Security Checks
medium
80356openSUSE Security Update : ruby2.1 (openSUSE-SU-2015:0007-1)NessusSuSE Local Security Checks
medium
80353openSUSE Security Update : ruby20 (openSUSE-SU-2015:0002-1)NessusSuSE Local Security Checks
medium
79980GLSA-201412-27 : Ruby: Denial of ServiceNessusGentoo Local Security Checks
high
79820openSUSE Security Update : ruby19 (openSUSE-SU-2014:1589-1)NessusSuSE Local Security Checks
medium
79658Scientific Linux Security Update : ruby on SL7.x x86_64 (20141126)NessusScientific Linux Local Security Checks
medium
79657Scientific Linux Security Update : ruby on SL6.x i386/x86_64 (20141126)NessusScientific Linux Local Security Checks
medium
79643CentOS 7 : ruby (CESA-2014:1912)NessusCentOS Local Security Checks
medium
79642CentOS 6 : ruby (CESA-2014:1911)NessusCentOS Local Security Checks
medium
79596RHEL 7 : ruby (RHSA-2014:1912)NessusRed Hat Local Security Checks
medium
79595RHEL 6 : ruby (RHSA-2014:1911)NessusRed Hat Local Security Checks
medium
79594Oracle Linux 7 : ruby (ELSA-2014-1912)NessusOracle Linux Local Security Checks
medium
79593Oracle Linux 6 : ruby (ELSA-2014-1911)NessusOracle Linux Local Security Checks
medium
79571Mandriva Linux Security Advisory : ruby (MDVSA-2014:225)NessusMandriva Local Security Checks
medium
79382Ubuntu 12.04 LTS / 14.04 LTS / 14.10 : ruby1.8, ruby1.9.1, ruby2.0, ruby2.1 vulnerability (USN-2412-1)NessusUbuntu Local Security Checks
medium
79298Amazon Linux AMI : ruby21 (ALAS-2014-449)NessusAmazon Linux Local Security Checks
medium
79297Amazon Linux AMI : ruby20 (ALAS-2014-448)NessusAmazon Linux Local Security Checks
medium
79296Amazon Linux AMI : ruby19 (ALAS-2014-447)NessusAmazon Linux Local Security Checks
medium