CVE-2013-1812 : The ruby-openid gem before 2.2.2 for Ruby allows remote OpenID providers to caus

The ruby-openid gem before 2.2.2 for Ruby allows remote OpenID providers to cause a denial of service (CPU consumption) via (1) a large XRDS document or (2) an XML Entity Expansion (XEE) attack.

Published 2013-12-12 18:55:11

Updated 2025-04-11 00:51:22

Source Red Hat, Inc.

View at NVD, CVE.org

Vulnerability category: Denial of service

Products affected by CVE-2013-1812

Fedoraproject » Fedora » Version: 17
cpe:2.3:o:fedoraproject:fedora:17:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 18
cpe:2.3:o:fedoraproject:fedora:18:*:*:*:*:*:*:*
Matching versions
Janrain » Ruby-openid » For Ruby
Versions up to, including, (<=) 2.2.1
cpe:2.3:a:janrain:ruby-openid:*:-:-:*:-:ruby:*:*
Matching versions
Janrain » Ruby-openid » Version: 2.2.0 For Ruby
cpe:2.3:a:janrain:ruby-openid:2.2.0:-:-:*:-:ruby:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2013-1812

EPSS FAQ

0.53%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 65 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2013-1812

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
4.3	MEDIUM	AV:N/AC:M/Au:N/C:N/I:N/A:P	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial

CWE ids for CVE-2013-1812

CWE-399

Assigned by: nvd@nist.gov (Primary)

References for CVE-2013-1812

http://www.openwall.com/lists/oss-security/2013/03/03/8

oss-security - Re: CVE request: ruby-openid XML denial of service attack
Patch
https://github.com/openid/ruby-openid/blob/master/CHANGELOG.md

ruby-openid/CHANGELOG.md at master · openid/ruby-openid · GitHub
http://lists.fedoraproject.org/pipermail/package-announce/2013-November/120204.html

[SECURITY] Fedora 19 Update: rubygem-ruby-openid-2.3.0-3.fc19
https://github.com/openid/ruby-openid/commit/a3693cef06049563f5b4e4824f4d3211288508ed

Merge pull request #43 from nov/against_dos · openid/ruby-openid@a3693ce · GitHub
Exploit;Patch
https://github.com/openid/ruby-openid/pull/43

limit fetching file size & disable XML entity expansion by nov · Pull Request #43 · openid/ruby-openid · GitHub
http://lists.fedoraproject.org/pipermail/package-announce/2013-November/120361.html

[SECURITY] Fedora 20 Update: rubygem-ruby-openid-2.3.0-3.fc20
https://bugzilla.redhat.com/show_bug.cgi?id=918134

918134 – (CVE-2013-1812) CVE-2013-1812 ruby-openid: Vulnerable to XIE DoS attacks

Jump to

Vulnerability Details : CVE-2013-1812

Products affected by CVE-2013-1812

Exploit prediction scoring system (EPSS) score for CVE-2013-1812

CVSS scores for CVE-2013-1812

CWE ids for CVE-2013-1812

References for CVE-2013-1812