CVE-2013-0175 : multi_xml gem 0.5.2 for Ruby, as used in Grape before 0.2.6 and possibly other p

multi_xml gem 0.5.2 for Ruby, as used in Grape before 0.2.6 and possibly other products, does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156.

Published 2013-04-25 23:55:01

Updated 2025-04-11 00:51:22

Source Red Hat, Inc.

View at NVD, CVE.org

Vulnerability category: Execute codeDenial of service

Products affected by CVE-2013-0175

Erik Michaels-ober » Multi Xml » Version: 0.5.2
cpe:2.3:a:erik_michaels-ober:multi_xml:0.5.2:*:*:*:*:*:*:*
Matching versions
When used together with: Ruby-lang » Ruby
Grape Project » Grape » Version: 0.2.4
cpe:2.3:a:grape_project:grape:0.2.4:*:*:*:*:*:*:*
Matching versions
Grape Project » Grape » Version: 0.2.3
cpe:2.3:a:grape_project:grape:0.2.3:*:*:*:*:*:*:*
Matching versions
Grape Project » Grape » Version: 0.1.2
cpe:2.3:a:grape_project:grape:0.1.2:*:*:*:*:*:*:*
Matching versions
Grape Project » Grape » Version: 0.1.1
cpe:2.3:a:grape_project:grape:0.1.1:*:*:*:*:*:*:*
Matching versions
Grape Project » Grape » Version: 0.2.2
cpe:2.3:a:grape_project:grape:0.2.2:*:*:*:*:*:*:*
Matching versions
Grape Project » Grape » Version: 0.2.1
cpe:2.3:a:grape_project:grape:0.2.1:*:*:*:*:*:*:*
Matching versions
Grape Project » Grape » Version: 0.1.0
cpe:2.3:a:grape_project:grape:0.1.0:*:*:*:*:*:*:*
Matching versions
Grape Project » Grape » Version: 0.2.0
cpe:2.3:a:grape_project:grape:0.2.0:*:*:*:*:*:*:*
Matching versions
Grape Project » Grape » Version: 0.1.5
cpe:2.3:a:grape_project:grape:0.1.5:*:*:*:*:*:*:*
Matching versions
Grape Project » Grape » Version: 0.2.5
cpe:2.3:a:grape_project:grape:0.2.5:*:*:*:*:*:*:*
Matching versions
Grape Project » Grape » Version: 0.1.4
cpe:2.3:a:grape_project:grape:0.1.4:*:*:*:*:*:*:*
Matching versions
Grape Project » Grape » Version: 0.1.3
cpe:2.3:a:grape_project:grape:0.1.3:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2013-0175

EPSS FAQ

1.01%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 75 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2013-0175

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
7.5	HIGH	AV:N/AC:L/Au:N/C:P/I:P/A:P	10.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial

CWE ids for CVE-2013-0175

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2013-0175

https://github.com/sferik/multi_xml/pull/34

Remove ability to parse symbols and yaml by nate · Pull Request #34 · sferik/multi_xml · GitHub
https://gist.github.com/nate/d7f6d9f4925f413621aa

Addresses a security vulnerability in multi_xml that is identical to the recent rails vulnerability. This is very, very serious and includes the possibility of remote code exploit and SQL injection. U
http://www.openwall.com/lists/oss-security/2013/01/11/9

oss-security - Re: CVE request for multi_xml ruby gem (has same problem as CVE-2013-0156)
https://groups.google.com/forum/?fromgroups=#%21topic/ruby-grape/fthDkMgIOa0

Sign in - Google Accounts
https://news.ycombinator.com/item?id=5040457

MultiXml gem has same vulnerability as Rails' CVE-2013-0156 – patch now | Hacker News

Jump to

Vulnerability Details : CVE-2013-0175

Products affected by CVE-2013-0175

Exploit prediction scoring system (EPSS) score for CVE-2013-0175

CVSS scores for CVE-2013-0175

CWE ids for CVE-2013-0175

References for CVE-2013-0175