---
engine: ruby
cve: 2014-8080
osvdb: 113747
url: http://www.osvdb.org/show/osvdb/113747
title: Ruby lib/rexml/entity.rb XML External Entity (XXE) Expansion Remote DoS
date: 2014-10-27
description: |
  Ruby contains an XXE (Xml eXternal Entity) injection flaw in
  lib/rexml/entity.rb that is triggered during the parsing of XML data. The
  issue is due to an incorrectly configured XML parser accepting XML external
  entities from an untrusted source. By sending specially crafted XML data, a
  remote attacker can consume all available memory and cause a denial of
  service.
cvss_v2: 5.0
patched_versions:
  - ~> 1.9.3.550
  - ~> 2.0.0.594
  - ">= 2.1.4"