Ruby

Ruby

By DeepSource

Rails version with XML DOS vulnerability detected RB-A1002

Security

Selected versions of Rails 2, 3 & 4 are vulnerable to denial of service attacks via XML. Upgrading to newer versions of Rails can help fix this issue.

XML documents with large document depth can cause applications to raise a SystemStackError and potentially cause a denial of service attack. This only impacts applications using REXML or JDOM as their XML processor. Other XML processors that Rails supports are not impacted.

References

  1. CVE-2015-3227 - Rails Security Group
  2. CVE-2015-3227 - GitHub Advisory Database
  3. OWASP Top 10 - A4 - XML External Entities
  4. OWASP Top 10 - A9 - Using Components With Known Vulnerabilities