Plattform
ruby
Komponente
multi_xml
Behoben in
0.5.2
CVE-2013-0175 is a critical object injection vulnerability discovered in the multixml Ruby gem. This flaw allows attackers to execute arbitrary code or trigger denial-of-service conditions by exploiting improper handling of string casts within XML parsing. The vulnerability impacts versions of multixml up to and including 0.5.1, and is particularly relevant to applications using Grape versions prior to 0.2.6 that utilize multi_xml.
The impact of CVE-2013-0175 is significant due to the potential for remote code execution. An attacker could exploit this vulnerability to gain control of a system running an application that utilizes the vulnerable multi_xml gem. This could involve executing malicious commands, stealing sensitive data, or installing malware. The vulnerability stems from the gem's inadequate handling of string casts within XML processing, allowing attackers to inject malicious objects through nested XML entity references. The exploitation leverages YAML type conversion or Symbol type conversion, creating a pathway for arbitrary code execution. This is analogous to the exploitation pattern seen in CVE-2013-0156, highlighting the severity of the flaw.
CVE-2013-0175 was published in 2017, although the vulnerability itself was discovered earlier. Public proof-of-concept exploits are available, indicating a relatively low barrier to entry for attackers. The vulnerability shares similarities with CVE-2013-0156, suggesting that attackers may leverage existing knowledge and tools to exploit it. The EPSS score is likely medium, reflecting the availability of PoCs and the potential for widespread exploitation.
Applications built with Ruby and utilizing the multi_xml gem, particularly those using Grape web frameworks before version 0.2.6, are at significant risk. Shared hosting environments where users have the ability to upload or process XML data are also vulnerable, as are legacy applications that have not been regularly updated.
• ruby / server:
gem list | grep multi_xml• ruby / server:
gem list | grep grape• ruby / server:
grep -r 'multi_xml.parse' /path/to/your/applicationdiscovery
disclosure
Exploit-Status
EPSS
1.26% (79% Perzentil)
The primary mitigation for CVE-2013-0175 is to upgrade the multixml gem to version 0.5.2 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing input validation and sanitization to prevent the injection of malicious XML entities. Specifically, carefully scrutinize any XML data received from untrusted sources before processing it with the multixml gem. While a direct WAF rule is difficult to implement, restricting the types of data accepted and validating XML structure can reduce the attack surface. Review application code for any instances where user-supplied data is directly incorporated into XML documents.
Kein offizieller Patch verfügbar. Prüfe auf Workarounds oder überwache auf Updates.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2013-0175 is a HIGH severity vulnerability affecting the multi_xml Ruby gem, allowing remote attackers to execute code or cause denial of service through object injection by exploiting improper XML parsing.
You are affected if you are using multixml gem versions 0.5.1 or earlier, or if you are using Grape versions prior to 0.2.6 that rely on multixml.
Upgrade the multi_xml gem to version 0.5.2 or later. If upgrading is not possible, implement strict input validation and sanitization for XML data.
While active exploitation is unlikely due to the vulnerability's age and the availability of a patch, the potential for exploitation remains if systems are running vulnerable versions.
The official advisory can be found in the NVD database: https://nvd.nist.gov/vuln/detail/CVE-2013-0175
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Gemfile.lock-Datei hoch und wir sagen dir sofort, ob du betroffen bist.