CVE-2013-1821

Description

When reading text nodes from an XML document, the REXML parser can be coerced in to allocating extremely large string objects which can consume all of the memory on a machine, causing a denial of service. Jruby resolves this bug in version 1.7.3 as noted in https://www.jruby.org/2013/02/21/jruby-1-7-3.html

How to fix CVE-2013-1821

To remediate CVE-2013-1821, upgrade the affected package to a fixed version below.

• Debian/ruby1.8—upgrade to 1.8.7.302-2squeeze2 or later
• Debian/ruby1.9.1—upgrade to 1.9.2.0-2+deb6u1 or later
• —upgrade to 1.7.3 or later

Is CVE-2013-1821 being exploited?

Moderate — EPSS is 25.7%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (3)

• from 0, < 1.8.7.302-2squeeze2
• from 0, < 1.9.2.0-2+deb6u1
• from 0, < 1.7.3

References (19)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2013-1821
• PATCHgithub.com/jruby/jruby
• WEBbugs.debian.org/cgi-bin/bugreport.cgi?bug=702525
• WEBlists.opensuse.org/opensuse-security-announce/2013-04/msg00001.html
• WEB