N/A

CVSS Score

Basic Information

CVE ID

CVE-2013-1856

GHSA ID

GHSA-9c2j-593q-3g82

EPSS Score

0.72576%

CWE

CWE-20

Published

10/24/2017

Updated

11/6/2023

KEV Status

Technology

Ruby

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2013-1856

CVE-2013-1856: activesupport Improper Input Validation vulnerability

The ActiveSupport::XmlMini_JDOM backend in lib/active_support/xml_mini/jdom.rb in the Active Support component in Ruby on Rails 3.0.x and 3.1.x before 3.1.12 and 3.2.x before 3.2.13, when JRuby is used, does not properly restrict the capabilities of the XML parser, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving (1) an external DTD or (2) an external entity declaration in conjunction with an entity reference.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

CVE-2013-1856

GHSA ID

GHSA-9c2j-593q-3g82

EPSS Score

0.72576%

CWE

CWE-20

Published

10/24/2017

Updated

11/6/2023

KEV Status

Technology

Ruby

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
activesupport	rubygems	>= 3.0.0, < 3.1.12	3.1.12
activesupport	rubygems	>= 3.2.0, < 3.2.13	3.2.13

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the JDOM XML parser backend not properly restricting dangerous XML features. The parse method in XmlMini_JDOM would have been responsible for configuring the DocumentBuilder parser. The advisory specifically calls out that the default JVM configuration allowed external entity processing, and the fix involved either switching parsers (to REXML) or properly securing the DocumentBuilder configuration - indicating the vulnerability resided in the XmlMini_JDOM parsing implementation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** `**tiv*Support::XmlMini_J*OM` ***k*n* in `li*/**tiv*_support/xml_mini/j*om.r*` in t** **tiv* Support *ompon*nt in Ru*y on R*ils *.*.x *n* *.*.x ***or* *.*.** *n* *.*.x ***or* *.*.**, w**n JRu*y is us**, *o*s not prop*rly r*stri*t t** **p**iliti*s

Reasoning

T** vuln*r**ility st*ms *rom t** J*OM XML p*rs*r ***k*n* not prop*rly r*stri*tin* **n**rous XML ***tur*s. T** p*rs* m*t*o* in XmlMini_J*OM woul* **v* ***n r*sponsi*l* *or *on*i*urin* t** *o*um*nt*uil**r p*rs*r. T** **visory sp**i*i**lly **lls out t**

N/A

Basic Information

Concerned about an active attack path?

CVE-2013-1856: activesupport Improper Input Validation vulnerability

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI