Upgrade RHEL:9 firefox to version 0:91.11.0-2.el9_0 or higher. This issue was patched in RHSA-2022:5481 .

Improper Input Validation in ruby-multi-xml | CVE-2013-0175

Threat Intelligence

Not Defined

6.52% (94^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Improper Input Validation vulnerabilities in an interactive lesson.

Start learning

Snyk IDSNYK-DEBIANUNSTABLE-RUBYMULTIXML-606033
published19 Aug 2020
disclosed25 Apr 2013

Report a new vulnerability Found a mistake?

Introduced: 25 Apr 2013

CVE-2013-0175 (opens in a new tab) CWE-20 (opens in a new tab)

Amendment

The Debian security team deemed this advisory irrelevant for Debian:unstable.

NVD Description

Note: Versions mentioned in the description apply only to the upstream ruby-multi-xml package and not the ruby-multi-xml package as distributed by Debian.

multi_xml gem 0.5.2 for Ruby, as used in Grape before 0.2.6 and possibly other products, does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156.

Improper Input Validation The advisory has been revoked - it doesn't affect any version of package ruby-multi-xml (opens in a new tab)