CVE-2013-1856: Improper Input Validation

March 19, 2013 (updated August 8, 2019)

The ActiveSupport::XmlMini_JDOM backend in lib/active_support/xml_mini/jdom.rb in the Active Support component does not properly restrict the capabilities of the XML parser, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving (1) an external DTD or (2) an external entity declaration in conjunction with an entity reference.

References

web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1856
www.openwall.com/lists/oss-security/2013/03/18/4

Code Behaviors & Features

Detect and mitigate CVE-2013-1856 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →