Posted by zzak on 27 Oct 2014
Unrestricted entity expansion can lead to a DoS vulnerability in REXML. This vulnerability has been assigned the CVE identifier CVE-2014-8080. We strongly recommend to upgrade Ruby.
When reading text nodes from an XML document, the REXML parser can be coerced into allocating extremely large string objects which can consume all of the memory on a machine, causing a denial of service.
Impacted code will look something like this:
All users running an affected release should either upgrade or use one of the workarounds immediately.
- All Ruby 1.9 versions prior to Ruby 1.9.3 patchlevel 550
- All Ruby 2.0 versions prior to Ruby 2.0.0 patchlevel 594
- All Ruby 2.1 versions prior to Ruby 2.1.4
- prior to trunk revision 48161
If you cannot upgrade Ruby, use this monkey patch as a workaround on versions of Ruby 2.1.0+:
For versions of Ruby older than 2.1.0, you can use the following monkey patch:
Thanks to Willis Vandevanter for reporting this issue.
- Originally published at 2014-10-27 12:00:00 (UTC)