exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 11 of 11 RSS Feed

CVE-2014-8090

Status Candidate

Overview

The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption) a crafted XML document containing an empty string in an entity that is used in a large number of nested entity references, aka an XML Entity Expansion (XEE) attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-1821 and CVE-2014-8080.

Related Files

Apple Security Advisory 2015-09-30-03
Posted Oct 1, 2015
Authored by Apple | Site apple.com

Apple Security Advisory 2015-09-30-03 - OS X El Capitan 10.11 is now available and addresses close to 100 vulnerabilities that may exist in prior releases.

tags | advisory, vulnerability
systems | apple, osx
advisories | CVE-2013-3951, CVE-2014-2532, CVE-2014-3618, CVE-2014-6277, CVE-2014-7186, CVE-2014-7187, CVE-2014-8080, CVE-2014-8090, CVE-2014-8146, CVE-2014-8147, CVE-2014-8611, CVE-2014-9425, CVE-2014-9427, CVE-2014-9652, CVE-2014-9705, CVE-2014-9709, CVE-2015-0231, CVE-2015-0232, CVE-2015-0235, CVE-2015-0273, CVE-2015-0286, CVE-2015-0287, CVE-2015-1351, CVE-2015-1352, CVE-2015-1855, CVE-2015-2301, CVE-2015-2305, CVE-2015-2331
SHA-256 | 7a0709c784a5d4fb9ea404af89915bb4719339d731eebc17ca1e750e0b02747c
Mandriva Linux Security Advisory 2015-129
Posted Mar 30, 2015
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2015-129 - Due to unrestricted entity expansion, when reading text nodes from an XML document, the REXML parser in Ruby can be coerced into allocating extremely large string objects which can consume all of the memory on a machine, causing a denial of service. Will Wood discovered that Ruby incorrectly handled the encodes() function. An attacker could possibly use this issue to cause Ruby to crash, resulting in a denial of service, or possibly execute arbitrary code. The default compiler options for affected releases should reduce the vulnerability to a denial of service. Due to an incomplete fix for 100% CPU utilization can occur as a result of recursive expansion with an empty String. When reading text nodes from an XML document, the REXML parser in Ruby can be coerced into allocating extremely large string objects which can consume all of the memory on a machine, causing a denial of service.

tags | advisory, denial of service, arbitrary, ruby
systems | linux, mandriva
advisories | CVE-2014-4975, CVE-2014-8080, CVE-2014-8090
SHA-256 | 81e3a6da88aa29facafd616dc8b716c1aff7f0e2b4c29f1fd07c25ee27dde04b
Debian Security Advisory 3159-1
Posted Feb 11, 2015
Authored by Debian | Site debian.org

Debian Linux Security Advisory 3159-1 - It was discovered that the REXML parser, part of the interpreter for the Ruby language, could be coerced into allocating large string objects that could consume all available memory on the system. This could allow remote attackers to cause a denial of service (crash).

tags | advisory, remote, denial of service, ruby
systems | linux, debian
advisories | CVE-2014-8080, CVE-2014-8090
SHA-256 | 898382bfe535f1942a279b47e68da8e330be3d52ec2753d63d26e5cd262bf6c5
Debian Security Advisory 3157-1
Posted Feb 9, 2015
Authored by Debian | Site debian.org

Debian Linux Security Advisory 3157-1 - Multiple vulnerabilities were discovered in the interpreter for the Ruby language.

tags | advisory, vulnerability, ruby
systems | linux, debian
advisories | CVE-2014-4975, CVE-2014-8080, CVE-2014-8090
SHA-256 | ad0b1bc1dc150910ecc5028b1f499c6140172c1ab38abae8e3ea2bd478999d96
Gentoo Linux Security Advisory 201412-27
Posted Dec 15, 2014
Authored by Gentoo | Site security.gentoo.org

Gentoo Linux Security Advisory 201412-27 - Multiple vulnerabilities have been found in Ruby, allowing context-dependent attackers to cause a Denial of Service condition. Versions less than 2.0.0_p598 are affected.

tags | advisory, denial of service, vulnerability, ruby
systems | linux, gentoo
advisories | CVE-2011-0188, CVE-2011-1004, CVE-2011-1005, CVE-2011-4815, CVE-2012-4481, CVE-2012-5371, CVE-2013-0269, CVE-2013-1821, CVE-2013-4164, CVE-2014-8080, CVE-2014-8090
SHA-256 | 54e66264d3d6d38c3086840b65a1d59298b94700ea2d898a1673e706acdba6e8
Red Hat Security Advisory 2014-1914-01
Posted Nov 27, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-1914-01 - Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. Multiple denial of service flaws were found in the way the Ruby REXML XML parser performed expansion of parameter entities. A specially crafted XML document could cause REXML to use an excessive amount of CPU and memory. A stack-based buffer overflow was found in the implementation of the Ruby Array pack() method. When performing base64 encoding, a single byte could be written past the end of the buffer, possibly causing Ruby to crash.

tags | advisory, denial of service, overflow, ruby
systems | linux, redhat
advisories | CVE-2014-4975, CVE-2014-8080, CVE-2014-8090
SHA-256 | 64e3d44e9dbab89e160adf73238ebdb29bdeec72fc06bbc51f513a53b785ec91
Red Hat Security Advisory 2014-1913-01
Posted Nov 27, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-1913-01 - Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. Multiple denial of service flaws were found in the way the Ruby REXML XML parser performed expansion of parameter entities. A specially crafted XML document could cause REXML to use an excessive amount of CPU and memory. A stack-based buffer overflow was found in the implementation of the Ruby Array pack() method. When performing base64 encoding, a single byte could be written past the end of the buffer, possibly causing Ruby to crash.

tags | advisory, denial of service, overflow, ruby
systems | linux, redhat
advisories | CVE-2014-4975, CVE-2014-8080, CVE-2014-8090
SHA-256 | d34b054a1a09c5c71830a7fcd1d0e8f4e17c481c432a2ca499f384346ad1bb95
Red Hat Security Advisory 2014-1912-01
Posted Nov 27, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-1912-01 - Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. Multiple denial of service flaws were found in the way the Ruby REXML XML parser performed expansion of parameter entities. A specially crafted XML document could cause REXML to use an excessive amount of CPU and memory. A stack-based buffer overflow was found in the implementation of the Ruby Array pack() method. When performing base64 encoding, a single byte could be written past the end of the buffer, possibly causing Ruby to crash.

tags | advisory, denial of service, overflow, ruby
systems | linux, redhat
advisories | CVE-2014-4975, CVE-2014-8080, CVE-2014-8090
SHA-256 | 605c3f723bbfea05479a3515ed6e3f17674fe0a63446d76ac3980b8b44b410b6
Red Hat Security Advisory 2014-1911-01
Posted Nov 27, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-1911-01 - Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. Multiple denial of service flaws were found in the way the Ruby REXML XML parser performed expansion of parameter entities. A specially crafted XML document could cause REXML to use an excessive amount of CPU and memory. The CVE-2014-8090 issue was discovered by Red Hat Product Security.

tags | advisory, denial of service, ruby
systems | linux, redhat
advisories | CVE-2014-8080, CVE-2014-8090
SHA-256 | f40e101efebd630758efe522c9936ca1eb07b705ae9818d1a01084211278397c
Mandriva Linux Security Advisory 2014-225
Posted Nov 25, 2014
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2014-225 - Will Wood discovered that Ruby incorrectly handled the encodes() function. An attacker could possibly use this issue to cause Ruby to crash, resulting in a denial of service, or possibly execute arbitrary code. The default compiler options for affected releases should reduce the vulnerability to a denial of service. Due to an incomplete fix for 100% CPU utilization can occur as a result of recursive expansion with an empty String. When reading text nodes from an XML document, the REXML parser in Ruby can be coerced into allocating extremely large string objects which can consume all of the memory on a machine, causing a denial of service. Additionally ruby has been upgraded to patch level 374.

tags | advisory, denial of service, arbitrary, ruby
systems | linux, mandriva
advisories | CVE-2014-4975, CVE-2014-8090
SHA-256 | d2439eb4aac15fb7ad6deed92bf9356a7b28b2c87ab6702fba7654a4613543c6
Ubuntu Security Notice USN-2412-1
Posted Nov 20, 2014
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 2412-1 - Tomas Hoger discovered that Ruby incorrectly handled XML entity expansion. An attacker could use this flaw to cause Ruby to consume large amounts of resources, resulting in a denial of service.

tags | advisory, denial of service, ruby
systems | linux, ubuntu
advisories | CVE-2014-8090
SHA-256 | 01722294a0b313f8e8afdbc85a33a5bbad3769b7586918f6bcfb791c4d0d0ccf
Page 1 of 1
Back1Next

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close