ALAS-2014-448 ---- ruby20 rubygems20 rubygem20ID: oval:org.secpod.oval:def:1600113 | Date: (C)2016-01-19 (M)2024-02-19 |
Class: PATCH | Family: unix |
The upstream patch for CVE-2014-8080 introduced checks against the REXML.entity_expansion_text_limit, but did not add restrictions to limit the number of expansions performed, i.e. checks against the REXML::Document.entity_expansion_limit. As a consequence, even with the patch applied, a small XML document could cause REXML to use an excessive amount of CPU time. High memory usage can be achieved using larger inputs.
Platform: |
Amazon Linux AMI |
Product: |
ruby20 |
rubygems20 |
rubygem20 |