CVE-2015-3227
ruby-activesupport-3.2 - security update
EPSS 2.7%
Description
The (1) jdom.rb and (2) rexml.rb components in Active Support in Ruby on Rails before 4.1.11 and 4.2.x before 4.2.2, when JDOM or REXML is enabled, allow remote attackers to cause a denial of service (SystemStackError) via a large XML document depth.
How to fix CVE-2015-3227
To remediate CVE-2015-3227, upgrade the affected package to a fixed version below.
- Debian/rails—upgrade to 2:4.2.4-2 or later
- Debian/ruby-activesupport-3.2—upgrade to 3.2.6-6+deb7u2 or later
- RubyGems/activesupport—upgrade to 4.1.11 or later
Is CVE-2015-3227 being exploited?
Low — EPSS is 2.7%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 2:4.2.4-2
- from 0, < 3.2.6-6+deb7u2
- >= 4.0.0.beta1, < 4.1.11