{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-06-16T00:00:00", "descriptions": [{"lang": "en", "value": "The (1) jdom.rb and (2) rexml.rb components in Active Support in Ruby on Rails before 4.1.11 and 4.2.x before 4.2.2, when JDOM or REXML is enabled, allow remote attackers to cause a denial of service (SystemStackError) via a large XML document depth."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-09-15T09:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "1033755", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1033755"}, {"name": "75234", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/75234"}, {"name": "[rubyonrails-security] 20150616 [CVE-2015-3227] Possible Denial of Service attack in Active Support", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/bahr2JLnxvk/x4EocXnHPp8J"}, {"name": "openSUSE-SU-2015:1279", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-updates/2015-07/msg00050.html"}, {"name": "DSA-3464", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2016/dsa-3464"}, {"name": "[oss-security] 20150616 [CVE-2015-3227] Possible Denial of Service attack in Active Support", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://openwall.com/lists/oss-security/2015/06/16/16"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2015-3227", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The (1) jdom.rb and (2) rexml.rb components in Active Support in Ruby on Rails before 4.1.11 and 4.2.x before 4.2.2, when JDOM or REXML is enabled, allow remote attackers to cause a denial of service (SystemStackError) via a large XML document depth."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "1033755", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1033755"}, {"name": "75234", "refsource": "BID", "url": "http://www.securityfocus.com/bid/75234"}, {"name": "[rubyonrails-security] 20150616 [CVE-2015-3227] Possible Denial of Service attack in Active Support", "refsource": "MLIST", "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/bahr2JLnxvk/x4EocXnHPp8J"}, {"name": "openSUSE-SU-2015:1279", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2015-07/msg00050.html"}, {"name": "DSA-3464", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2016/dsa-3464"}, {"name": "[oss-security] 20150616 [CVE-2015-3227] Possible Denial of Service attack in Active Support", "refsource": "MLIST", "url": "http://openwall.com/lists/oss-security/2015/06/16/16"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T05:39:32.037Z"}, "title": "CVE Program Container", "references": [{"name": "1033755", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1033755"}, {"name": "75234", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/75234"}, {"name": "[rubyonrails-security] 20150616 [CVE-2015-3227] Possible Denial of Service attack in Active Support", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/bahr2JLnxvk/x4EocXnHPp8J"}, {"name": "openSUSE-SU-2015:1279", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-updates/2015-07/msg00050.html"}, {"name": "DSA-3464", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2016/dsa-3464"}, {"name": "[oss-security] 20150616 [CVE-2015-3227] Possible Denial of Service attack in Active Support", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://openwall.com/lists/oss-security/2015/06/16/16"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2015-3227", "datePublished": "2015-07-26T22:00:00", "dateReserved": "2015-04-10T00:00:00", "dateUpdated": "2024-08-06T05:39:32.037Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*", "matchCriteriaId": "A10BC294-9196-425F-9FB0-B1625465B47F", "vulnerable": true}, {"criteria": "cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*", "matchCriteriaId": "03117DF1-3BEC-4B8D-AD63-DBBDB2126081", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "0B7A927B-7E18-44B5-9307-E602790F8AB7", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "EAB8D57F-9849-428C-B8E9-D0A1020728BB", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*", "matchCriteriaId": "B0359DA8-6B41-46C5-AA95-41B1B366DD4A", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:*", "matchCriteriaId": "847B3C3D-8656-404D-A954-09C159EDC8E2", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:*", "matchCriteriaId": "65CA2D50-B33C-4088-BDDF-EB964C9A092C", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.5:*:*:*:*:*:*:*", "matchCriteriaId": "CADB5989-5260-4F60-ACF2-BEB6D7F97654", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.6:*:*:*:*:*:*:*", "matchCriteriaId": "9036E3C7-0AD5-489D-BCEE-31DFE13F5ADA", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.7:*:*:*:*:*:*:*", "matchCriteriaId": "539C550D-FEDD-415E-95AE-40E1AE2BAF1A", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.8:*:*:*:*:*:*:*", "matchCriteriaId": "59C5B869-74FC-4051-A103-A721332B3CF2", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "9A68D41F-36A9-4B77-814D-996F4E48FA79", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "83F1142C-3BFB-4B72-A033-81E20DB19D02", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The (1) jdom.rb and (2) rexml.rb components in Active Support in Ruby on Rails before 4.1.11 and 4.2.x before 4.2.2, when JDOM or REXML is enabled, allow remote attackers to cause a denial of service (SystemStackError) via a large XML document depth."}, {"lang": "es", "value": "Vulnerabilidad en los componentes (1) jdom.rb y (2) rexml.rb en Active Support en Ruby on Rails en versiones anteriores a 4.1.11 y 4.2.x anteriores a 4.2.2, cuando JDOM o REXML est\u00e1 activado, permite a atacantes remotos causar una denegaci\u00f3n de servicio (SystemStackError) a trav\u00e9s de un documento XML de gran tama\u00f1o."}], "id": "CVE-2015-3227", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2015-07-26T22:59:06.070", "references": [{"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-updates/2015-07/msg00050.html"}, {"source": "secalert@redhat.com", "url": "http://openwall.com/lists/oss-security/2015/06/16/16"}, {"source": "secalert@redhat.com", "url": "http://www.debian.org/security/2016/dsa-3464"}, {"source": "secalert@redhat.com", "url": "http://www.securityfocus.com/bid/75234"}, {"source": "secalert@redhat.com", "url": "http://www.securitytracker.com/id/1033755"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/bahr2JLnxvk/x4EocXnHPp8J"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-updates/2015-07/msg00050.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://openwall.com/lists/oss-security/2015/06/16/16"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.debian.org/security/2016/dsa-3464"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/75234"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securitytracker.com/id/1033755"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/bahr2JLnxvk/x4EocXnHPp8J"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Ruby upstream developers for reporting this issue.", "bugzilla": {"description": "rubygem-activesupport: Possible Denial of Service attack in Active Support in merge_element()", "id": "1232302", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1232302"}, "csaw": false, "cvss": {"cvss_base_score": "4.3", "cvss_scoring_vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "status": "draft"}, "cwe": "CWE-400", "details": ["The (1) jdom.rb and (2) rexml.rb components in Active Support in Ruby on Rails before 4.1.11 and 4.2.x before 4.2.2, when JDOM or REXML is enabled, allow remote attackers to cause a denial of service (SystemStackError) via a large XML document depth."], "name": "CVE-2015-3227", "package_state": [{"cpe": "cpe:/a:redhat:cloudforms_managementengine:5", "fix_state": "Will not fix", "package_name": "ruby193-rubygem-activesupport", "product_name": "CloudForms Management Engine 5"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:2", "fix_state": "Will not fix", "package_name": "rh-ror41-rubygem-activesupport", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:2", "fix_state": "Will not fix", "package_name": "ror40-rubygem-activesupport", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:2", "fix_state": "Will not fix", "package_name": "ruby193-rubygem-activesupport", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:rhel_sam:1", "fix_state": "Will not fix", "package_name": "ruby193-rubygem-activesupport", "product_name": "Red Hat Subscription Asset Manager"}, {"cpe": "cpe:/a:rhel_sam:1", "fix_state": "Will not fix", "package_name": "rubygem-activesupport", "product_name": "Red Hat Subscription Asset Manager"}], "public_date": "2015-06-16T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2015-3227\nhttps://nvd.nist.gov/vuln/detail/CVE-2015-3227"], "threat_severity": "Moderate"}