Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
CVE-2013-6460
Summary
Nokogiri gem 1.5.x prior to 1.5.11 and 1.6.x prior to 1.6.1 has Denial of Service via infinite loop when parsing XML documents.
- LOW
- NETWORK
- NONE
- UNCHANGED
- REQUIRED
- NONE
- NONE
- HIGH
CWE-776 - Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
The software uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.
References
Advisory Timeline
- Published