Ruby/multi_xml/0.1.1
Provides swappable XML backends utilizing LibXML, Nokogiri, Ox, or REXML.
https://rubygems.org/gems/multi_xml
UNKNOWN
2 Security Vulnerabilities
Improper Input Validation in multi_xml
- https://nvd.nist.gov/vuln/detail/CVE-2013-0175
- https://github.com/advisories/GHSA-pchc-949f-53m5
- https://github.com/sferik/multi_xml/pull/34
- https://gist.github.com/nate/d7f6d9f4925f413621aa
- https://groups.google.com/forum/?fromgroups=#!topic/ruby-grape/fthDkMgIOa0
- https://news.ycombinator.com/item?id=5040457
- http://www.openwall.com/lists/oss-security/2013/01/11/9
- https://groups.google.com/forum/?fromgroups=#%21topic/ruby-grape/fthDkMgIOa0
- https://www.openwall.com/lists/oss-security/2013/01/11/9
- https://github.com/sferik/multi_xml/commit/c94b136d06822514fc2e99dc851e6c4eeb4c8bdf
multi_xml gem 0.5.2 for Ruby, as used in Grape before 0.2.6 and possibly other products, does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156.
multi_xml Gem for Ruby XML Parameter Parsing Remote Command Execution
The multi_xml Gem for Ruby contains a flaw that is triggered when an error occurs during the parsing of the 'XML' parameter. With a crafted request containing arbitrary symbol and yaml types, a remote attacker can execute arbitrary commands.
22 Other Versions
| Version | License | Security | Released | |
|---|---|---|---|---|
| 0.6.0 | MIT | 2016-12-06 - 07:45 | over 7 years | |
| 0.5.5 | MIT | 2013-08-06 - 05:52 | over 10 years | |
| 0.5.4 | MIT | 2013-06-04 - 14:05 | almost 11 years | |
| 0.5.3 | MIT | 2013-02-08 - 01:05 | about 11 years | |
| 0.5.2 | MIT | 2013-01-11 - 07:44 | over 11 years | |
| 0.5.1 | UNKNOWN | 2 | 2012-05-10 - 01:25 | almost 12 years |
| 0.5.0 | UNKNOWN | 2 | 2012-05-08 - 22:05 | almost 12 years |
| 0.4.4 | UNKNOWN | 2 | 2012-04-16 - 15:04 | about 12 years |
| 0.4.3 | UNKNOWN | 2 | 2012-04-16 - 08:14 | about 12 years |
| 0.4.2 | UNKNOWN | 2 | 2012-03-12 - 17:02 | about 12 years |
| 0.4.1 | UNKNOWN | 2 | 2011-09-26 - 15:03 | over 12 years |
| 0.4.0 | UNKNOWN | 2 | 2011-09-06 - 15:16 | over 12 years |
| 0.3.0 | UNKNOWN | 2 | 2011-08-08 - 07:06 | over 12 years |
| 0.2.2 | UNKNOWN | 2 | 2011-03-20 - 21:07 | about 13 years |
| 0.2.1 | UNKNOWN | 2 | 2011-02-03 - 15:04 | about 13 years |
| 0.2.0 | UNKNOWN | 2 | 2010-10-22 - 16:05 | over 13 years |
| 0.1.4 | UNKNOWN | 2 | 2010-10-20 - 15:41 | over 13 years |
| 0.1.3 | UNKNOWN | 2 | 2010-10-19 - 00:42 | over 13 years |
| 0.1.2 | UNKNOWN | 2 | 2010-10-16 - 18:19 | over 13 years |
| 0.1.1 | UNKNOWN | 2 | 2010-10-16 - 16:40 | over 13 years |
| 0.1.0 | UNKNOWN | 2 | 2010-10-12 - 14:55 | over 13 years |
| 0.0.1 | UNKNOWN | 2 | 2010-10-03 - 05:57 | over 13 years |