activesupport vulnerable to Denial of Service via large XML document depth

GHSA-j96r-xvjq-r9pg · CVE-2015-3227

Published Oct 24, 2017 · Modified Mar 31, 2025

Description

The (1) jdom.rb and (2) rexml.rb components in Active Support in Ruby on Rails before 3.2.22, 4.1.x before 4.1.11, and 4.2.x before 4.2.2, when JDOM or REXML is enabled, allow remote attackers to cause a denial of service (SystemStackError) via a large XML document depth.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2015-3227
WEB https://github.com/rails/rails/commit/12f763ce1131d29d24bd0d8f868e2697a139aea3
WEB https://github.com/rails/rails/commit/153cc843ad95930b00b0ca91d30b599b7dec9680
WEB https://github.com/rails/rails/commit/78b29e08c700d889837af6c51c7debd3864abc3d
PACKAGE https://github.com/rails/rails
WEB https://groups.google.com/forum/message/raw?msg=rubyonrails-security/bahr2JLnxvk/x4EocXnHPp8J
WEB https://web.archive.org/web/20200228041703/http://www.securityfocus.com/bid/75234
WEB https://web.archive.org/web/20200517005133/http://www.securitytracker.com/id/1033755
WEB http://lists.opensuse.org/opensuse-updates/2015-07/msg00050.html
WEB http://openwall.com/lists/oss-security/2015/06/16/16
WEB http://www.debian.org/security/2016/dsa-3464

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes