Upstream information

CVE-2013-0175 at MITRE

Description

multi_xml gem 0.5.2 for Ruby, as used in Grape before 0.2.6 and possibly other products, does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156.

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having important severity.

CVSS v2 Scores
  National Vulnerability Database
Base Score 7.5
Vector AV:N/AC:L/Au:N/C:P/I:P/A:P
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact Partial
Integrity Impact Partial
Availability Impact Partial
SUSE Bugzilla entry: 798321 [RESOLVED / FIXED]

No SUSE Security Announcements cross referenced.

List of released packages

Product(s) Fixed package version(s) References
SUSE OpenStack Cloud 6
  • ruby2.1-rubygem-multi_xml >= 0.5.5-1.1
Patchnames:
SUSE OpenStack Cloud 6 GA ruby2.1-rubygem-multi_xml-0.5.5-1.1
openSUSE Tumbleweed
  • ruby2.7-rubygem-multi_xml >= 0.6.0-1.14
  • ruby3.0-rubygem-multi_xml >= 0.6.0-1.14
  • ruby3.2-rubygem-multi_xml >= 0.6.0-1.23
Patchnames:
openSUSE Tumbleweed GA ruby2.7-rubygem-multi_xml-0.6.0-1.14
openSUSE Tumbleweed GA ruby3.2-rubygem-multi_xml-0.6.0-1.23


SUSE Timeline for this CVE

CVE page created: Fri Jun 28 13:16:19 2013
CVE page last modified: Sun Aug 27 09:08:08 2023