ALAS-2014-447 ---- ruby19 rubygem19 rubygems19ID: oval:org.secpod.oval:def:1600182 | Date: (C)2016-01-19 (M)2024-02-19 |
Class: PATCH | Family: unix |
The upstream patch for CVE-2014-8080 introduced checks against the REXML.entity_expansion_text_limit, but did not add restrictions to limit the number of expansions performed, i.e. checks against the REXML::Document.entity_expansion_limit. As a consequence, even with the patch applied, a small XML document could cause REXML to use an excessive amount of CPU time. High memory usage can be achieved using larger inputs.
Platform: |
Amazon Linux AMI |
Product: |
ruby19 |
rubygem19 |
rubygems19 |