CVE-2015-3227: activesupport vulnerable to Denial of Service via large XML document depth
(updated )
The (1) jdom.rb and (2) rexml.rb components in Active Support in Ruby on Rails before 3.2.22, 4.1.x before 4.1.11, and 4.2.x before 4.2.2, when JDOM or REXML is enabled, allow remote attackers to cause a denial of service (SystemStackError) via a large XML document depth.
References
- github.com/advisories/GHSA-j96r-xvjq-r9pg
- github.com/rails/rails
- github.com/rails/rails/commit/12f763ce1131d29d24bd0d8f868e2697a139aea3
- github.com/rails/rails/commit/153cc843ad95930b00b0ca91d30b599b7dec9680
- github.com/rails/rails/commit/78b29e08c700d889837af6c51c7debd3864abc3d
- groups.google.com/forum/message/raw?msg=rubyonrails-security/bahr2JLnxvk/x4EocXnHPp8J
- nvd.nist.gov/vuln/detail/CVE-2015-3227
- web.archive.org/web/20200228041703/http://www.securityfocus.com/bid/75234
- web.archive.org/web/20200517005133/http://www.securitytracker.com/id/1033755
Code Behaviors & Features
Detect and mitigate CVE-2015-3227 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →