CVE-2013-0175 is a critical object injection vulnerability discovered in the multixml Ruby gem. This flaw allows attackers to execute arbitrary code or trigger denial-of-service conditions by exploiting improper handling of string casts within XML parsing. The vulnerability impacts versions of multixml up to and including 0.5.1, and is particularly relevant to applications using Grape versions prior to 0.2.6 that utilize multi_xml.
The primary impact of CVE-2013-0175 is the potential for remote code execution (RCE). An attacker can craft malicious XML input that, when processed by the vulnerable multi_xml gem, leads to the execution of arbitrary commands on the server. This can result in complete system compromise, data theft, or further malicious activity. The vulnerability also presents a denial-of-service (DoS) risk, as nested XML entity references can be exploited to consume excessive memory and CPU resources, rendering the application unresponsive. The vulnerability's similarity to CVE-2013-0156 suggests a broader class of XML parsing vulnerabilities that should be reviewed.
CVE-2013-0175 was published on October 24, 2017. Public proof-of-concept exploits were not immediately available, but the vulnerability's similarity to CVE-2013-0156 raised concerns about potential exploitation. It is not currently listed on the CISA KEV catalog. The vulnerability's age and the availability of a patch suggest that active exploitation is unlikely, but the potential for exploitation remains if systems are still running vulnerable versions.
Applications built with Ruby and utilizing the multi_xml gem, particularly those using Grape web frameworks before version 0.2.6, are at significant risk. Shared hosting environments where users have the ability to upload or process XML data are also vulnerable, as are legacy applications that have not been regularly updated.
• ruby / server:
gem list | grep multi_xml• ruby / server:
gem list | grep grape• ruby / server:
grep -r 'multi_xml.parse' /path/to/your/applicationdiscovery
disclosure
漏洞利用状态
EPSS
1.26% (79% 百分位)
The definitive mitigation for CVE-2013-0175 is to upgrade the multi_xml gem to version 0.5.2 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing input validation and sanitization to prevent the injection of malicious XML payloads. Specifically, restrict the types of data that can be cast and carefully validate XML input before processing. Web application firewalls (WAFs) configured to detect and block malicious XML payloads can provide an additional layer of defense. There are no specific Sigma or YARA rules readily available for this vulnerability, but generic XML parsing anomaly detection rules may be applicable.
暂无官方补丁。请查找临时解决方案或持续关注更新。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2013-0175 is a HIGH severity vulnerability affecting the multi_xml Ruby gem, allowing remote attackers to execute code or cause denial of service through object injection by exploiting improper XML parsing.
You are affected if you are using multixml gem versions 0.5.1 or earlier, or if you are using Grape versions prior to 0.2.6 that rely on multixml.
Upgrade the multi_xml gem to version 0.5.2 or later. If upgrading is not possible, implement strict input validation and sanitization for XML data.
While active exploitation is unlikely due to the vulnerability's age and the availability of a patch, the potential for exploitation remains if systems are running vulnerable versions.
The official advisory can be found in the NVD database: https://nvd.nist.gov/vuln/detail/CVE-2013-0175
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。
上传你的 Gemfile.lock 文件,立即知道是否受影响。