CVE-2015-3227 : The (1) jdom.rb and (2) rexml.rb components in Active Support in Ruby on Rails before 4.1.11 and 4.2.x before 4.2.2, whe

The (1) jdom.rb and (2) rexml.rb components in Active Support in Ruby on Rails before 4.1.11 and 4.2.x before 4.2.2, when JDOM or REXML is enabled, allow remote attackers to cause a denial of service (SystemStackError) via a large XML document depth.

Published 2015-07-26 22:59:06

Updated 2019-08-08 15:43:50

Source Red Hat, Inc.

View at NVD, CVE.org

Vulnerability category: Denial of service

Exploit prediction scoring system (EPSS) score for CVE-2015-3227

Probability of exploitation activity in the next 30 days: 1.57%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 86 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2015-3227

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:N/I:N/A:P	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial

References for CVE-2015-3227

http://lists.opensuse.org/opensuse-updates/2015-07/msg00050.html

openSUSE-SU-2015:1279-1: moderate: Security update for rubygem-activesup
http://openwall.com/lists/oss-security/2015/06/16/16

oss-security - [CVE-2015-3227] Possible Denial of Service attack in Active Support
http://www.debian.org/security/2016/dsa-3464

Debian -- Security Information -- DSA-3464-1 rails

CVEs referencing this url
https://groups.google.com/forum/message/raw?msg=rubyonrails-security/bahr2JLnxvk/x4EocXnHPp8J

Vendor Advisory
http://www.securitytracker.com/id/1033755

Rails Bugs Let Remote Users Deny Service and Conduct Cross-Site Scripting Attacks - SecurityTracker

CVEs referencing this url
http://www.securityfocus.com/bid/75234

Ruby on Rails activesupport CVE-2015-3227 XML Parsing Remote Denial of Service Vulnerability

Products affected by CVE-2015-3227

Opensuse » Opensuse » Version: 13.2
cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*
Matching versions
Opensuse » Opensuse » Version: 13.1
cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*
Matching versions
Rubyonrails » Rails » Version: 4.1.1
cpe:2.3:a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*
Matching versions
Rubyonrails » Rails » Version: 4.1.2
cpe:2.3:a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*
Matching versions
Rubyonrails » Rails » Version: 4.1.3
cpe:2.3:a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:*
Matching versions
Rubyonrails » Rails » Version: 4.1.4
cpe:2.3:a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:*
Matching versions
Rubyonrails » Rails » Version: 4.1.5
cpe:2.3:a:rubyonrails:rails:4.1.5:*:*:*:*:*:*:*
Matching versions
Rubyonrails » Rails » Version: 4.1.6
cpe:2.3:a:rubyonrails:rails:4.1.6:*:*:*:*:*:*:*
Matching versions
Rubyonrails » Rails » Version: 4.1.7
cpe:2.3:a:rubyonrails:rails:4.1.7:*:*:*:*:*:*:*
Matching versions
Rubyonrails » Rails » Version: 4.2.1
cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*
Matching versions
Rubyonrails » Rails » Version: 4.2.0
cpe:2.3:a:rubyonrails:rails:4.2.0:*:*:*:*:*:*:*
Matching versions
Rubyonrails » Rails » Version: 4.1.8
cpe:2.3:a:rubyonrails:rails:4.1.8:*:*:*:*:*:*:*
Matching versions
Rubyonrails » Rails » Version: 4.1.0
cpe:2.3:a:rubyonrails:rails:4.1.0:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2015-3227

Exploit prediction scoring system (EPSS) score for CVE-2015-3227

CVSS scores for CVE-2015-3227

References for CVE-2015-3227

Products affected by CVE-2015-3227