CVE-2013-1812

The ruby-openid gem before 2.2.2 for Ruby allows remote OpenID providers to cause a denial of service (CPU consumption) via (1) a large XRDS document or (2) an XML Entity Expansion (XEE) attack.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.3 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:N/I:N/A:P
redhatCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 66%
VendorProductVersion
janrainruby-openid
𝑥
≤ 2.2.1
janrainruby-openid
2.2.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
ruby-openid
bullseye
2.9.2debian-1
fixed
bookworm
2.9.2debian-2
fixed
sid
2.9.2debian-3
fixed
trixie
2.9.2debian-3
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libopenid-ruby
raring
dne
quantal
dne
precise
Fixed 2.1.8debian-1ubuntu0.1
released
oneiric
ignored
lucid
Fixed 2.1.7debian-1ubuntu0.1
released
hardy
dne
ruby-openid
raring
not-affected
quantal
Fixed 2.1.8debian-5ubuntu0.1
released
precise
dne
oneiric
dne
lucid
dne
hardy
dne
Common Weakness Enumeration
References
http://lists.fedoraproject.org/pipermail/package-announce/2013-November/120204.html
http://lists.fedoraproject.org/pipermail/package-announce/2013-November/120361.html
http://www.openwall.com/lists/oss-security/2013/03/03/8
https://bugzilla.redhat.com/show_bug.cgi?id=918134
https://github.com/openid/ruby-openid/blob/master/CHANGELOG.md
https://github.com/openid/ruby-openid/commit/a3693cef06049563f5b4e4824f4d3211288508ed
https://github.com/openid/ruby-openid/pull/43
http://lists.fedoraproject.org/pipermail/package-announce/2013-November/120204.html
http://lists.fedoraproject.org/pipermail/package-announce/2013-November/120361.html
http://www.openwall.com/lists/oss-security/2013/03/03/8
https://bugzilla.redhat.com/show_bug.cgi?id=918134
https://github.com/openid/ruby-openid/blob/master/CHANGELOG.md
https://github.com/openid/ruby-openid/commit/a3693cef06049563f5b4e4824f4d3211288508ed
https://github.com/openid/ruby-openid/pull/43