Platform
ruby
Component
multi_xml
Opgelost in
0.5.2
CVE-2013-0175 is a critical object injection vulnerability discovered in the multixml Ruby gem. This flaw allows attackers to execute arbitrary code or trigger denial-of-service conditions by exploiting improper handling of string casts within XML parsing. The vulnerability impacts versions of multixml up to and including 0.5.1, and is particularly relevant to applications using Grape versions prior to 0.2.6 that utilize multi_xml.
The primary impact of CVE-2013-0175 is the potential for remote code execution (RCE). An attacker can craft malicious XML input that, when processed by the vulnerable multi_xml gem, leads to the execution of arbitrary commands on the server. This can result in complete system compromise, data theft, or further malicious activity. The vulnerability also presents a denial-of-service (DoS) risk, as nested XML entity references can be exploited to consume excessive memory and CPU resources, rendering the application unresponsive. The vulnerability's similarity to CVE-2013-0156 suggests a broader class of XML parsing vulnerabilities that should be reviewed.
CVE-2013-0175 was published on October 24, 2017. Public proof-of-concept exploits were not immediately available, but the vulnerability's similarity to CVE-2013-0156 raised concerns about potential exploitation. It is not currently listed on the CISA KEV catalog. The vulnerability's age and the availability of a patch suggest that active exploitation is unlikely, but the potential for exploitation remains if systems are still running vulnerable versions.
Applications built with Ruby and utilizing the multi_xml gem, particularly those using Grape web frameworks before version 0.2.6, are at significant risk. Shared hosting environments where users have the ability to upload or process XML data are also vulnerable, as are legacy applications that have not been regularly updated.
• ruby / server:
gem list | grep multi_xml• ruby / server:
gem list | grep grape• ruby / server:
grep -r 'multi_xml.parse' /path/to/your/applicationdiscovery
disclosure
Exploit Status
EPSS
1.26% (79% percentiel)
The definitive mitigation for CVE-2013-0175 is to upgrade the multi_xml gem to version 0.5.2 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing input validation and sanitization to prevent the injection of malicious XML payloads. Specifically, restrict the types of data that can be cast and carefully validate XML input before processing. Web application firewalls (WAFs) configured to detect and block malicious XML payloads can provide an additional layer of defense. There are no specific Sigma or YARA rules readily available for this vulnerability, but generic XML parsing anomaly detection rules may be applicable.
Geen officiële patch beschikbaar. Zoek naar tijdelijke oplossingen of monitor updates.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2013-0175 is a HIGH severity vulnerability affecting the multi_xml Ruby gem, allowing remote attackers to execute code or cause denial of service through object injection by exploiting improper XML parsing.
You are affected if you are using multixml gem versions 0.5.1 or earlier, or if you are using Grape versions prior to 0.2.6 that rely on multixml.
Upgrade the multi_xml gem to version 0.5.2 or later. If upgrading is not possible, implement strict input validation and sanitization for XML data.
While active exploitation is unlikely due to the vulnerability's age and the availability of a patch, the potential for exploitation remains if systems are running vulnerable versions.
The official advisory can be found in the NVD database: https://nvd.nist.gov/vuln/detail/CVE-2013-0175
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je Gemfile.lock-bestand en we vertellen je direct of je getroffen bent.