Vulnerability Details : CVE-2015-3227
The (1) jdom.rb and (2) rexml.rb components in Active Support in Ruby on Rails before 4.1.11 and 4.2.x before 4.2.2, when JDOM or REXML is enabled, allow remote attackers to cause a denial of service (SystemStackError) via a large XML document depth.
Vulnerability category: Denial of service
Exploit prediction scoring system (EPSS) score for CVE-2015-3227
Probability of exploitation activity in the next 30 days: 1.57%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 86 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2015-3227
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST |
References for CVE-2015-3227
-
http://lists.opensuse.org/opensuse-updates/2015-07/msg00050.html
openSUSE-SU-2015:1279-1: moderate: Security update for rubygem-activesup
-
http://openwall.com/lists/oss-security/2015/06/16/16
oss-security - [CVE-2015-3227] Possible Denial of Service attack in Active Support
-
http://www.debian.org/security/2016/dsa-3464
Debian -- Security Information -- DSA-3464-1 rails
-
https://groups.google.com/forum/message/raw?msg=rubyonrails-security/bahr2JLnxvk/x4EocXnHPp8J
Vendor Advisory
-
http://www.securitytracker.com/id/1033755
Rails Bugs Let Remote Users Deny Service and Conduct Cross-Site Scripting Attacks - SecurityTracker
-
http://www.securityfocus.com/bid/75234
Ruby on Rails activesupport CVE-2015-3227 XML Parsing Remote Denial of Service Vulnerability
Products affected by CVE-2015-3227
- cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.6:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.7:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.8:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.0:*:*:*:*:*:*:*