Vigil@nce: Ruby, denial of service via REXML
August 2008 by Vigil@nce
An attacker can create a malicious XML file in order to generate a
denial of service on victim’s computer.
– Gravity: 2/4
– Consequences: denial of service of service
– Provenance: document
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 26/08/2008
– Identifier: VIGILANCE-VUL-8054
IMPACTED PRODUCTS
- Unix - plateform
DESCRIPTION
Ruby can import libraries such as REXML. This last is used to
generate and read XML files.
REXML library is vulnerable if it treats an XML file recursively.
If a malicious file is open, this can generate a denial of service.
An attacker can therefore send a malicious XML file to a victim,
in order to generate a denial of service on his computer.
CHARACTERISTICS
– Identifiers: CVE-2008-3790, VIGILANCE-VUL-8054
– Url: https://vigilance.aql.fr/tree/1/8054