CVE-2013-1812

Published: Dec 12, 2013Modified: Apr 29, 2026

4.3

Vector

AV:N/AC:M/Au:N/C:N/I:N/A:P

Exploitability: 8.6 / Impact: 2.9

Source: NVD

Description

The ruby-openid gem before 2.2.2 for Ruby allows remote OpenID providers to cause a denial of service (CPU consumption) via (1) a large XRDS document or (2) an XML Entity Expansion (XEE) attack.

Affected (4)

Products: Fedoraproject: Fedora · Janrain: Ruby Openid

1 product

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 17
Fedoraproject Fedora	Version 18

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Janrain Ruby Openid	Up to 2.2.1
Janrain Ruby Openid	Version 2.2.0

Related CWEs

CWE-399

References (14)

http://lists.fedoraproject.org/pipermail/package-announce/2013-November/120204.html

Source: secalert@redhat.com

http://lists.fedoraproject.org/pipermail/package-announce/2013-November/120361.html

Source: secalert@redhat.com

http://www.openwall.com/lists/oss-security/2013/03/03/8

Source: secalert@redhat.com

Patch

https://bugzilla.redhat.com/show_bug.cgi?id=918134

Source: secalert@redhat.com

https://github.com/openid/ruby-openid/blob/master/CHANGELOG.md

Source: secalert@redhat.com

https://github.com/openid/ruby-openid/commit/a3693cef06049563f5b4e4824f4d3211288508ed

Source: secalert@redhat.com

ExploitPatch

https://github.com/openid/ruby-openid/pull/43

Source: secalert@redhat.com

http://lists.fedoraproject.org/pipermail/package-announce/2013-November/120204.html