CVE-2013-1856: activesupport Improper Input Validation vulnerability
N/A
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.72576%
CWE
Published
10/24/2017
Updated
11/6/2023
KEV Status
No
Technology
Ruby
Technical Details
CVSS Vector
-
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
activesupport | rubygems | >= 3.0.0, < 3.1.12 | 3.1.12 |
activesupport | rubygems | >= 3.2.0, < 3.2.13 | 3.2.13 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from the JDOM XML parser backend not properly restricting dangerous XML features. The parse method in XmlMini_JDOM would have been responsible for configuring the DocumentBuilder parser. The advisory specifically calls out that the default JVM configuration allowed external entity processing, and the fix involved either switching parsers (to REXML) or properly securing the DocumentBuilder configuration - indicating the vulnerability resided in the XmlMini_JDOM parsing implementation.