CVE-2013-1812 — Denial of service in ruby-openid

Description

The ruby-openid gem before 2.2.2 for Ruby allows remote OpenID providers to cause a denial of service (CPU consumption) via (1) a large XRDS document or (2) an XML Entity Expansion (XEE) attack.

How to fix CVE-2013-1812

To remediate CVE-2013-1812, upgrade the affected package to a fixed version below.

Debian/ruby-openid—upgrade to 2.1.8debian-6 or later
RubyGems/ruby-openid—upgrade to 2.2.2 or later

Is CVE-2013-1812 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2.1.8debian-6
from 0, < 2.2.2

References (12)

ADVISORYgithub.com/advisories/GHSA-6c8p-qphv-668v
ADVISORYnvd.nist.gov/vuln/detail/CVE-2013-1812
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2013-1812
PATCHgithub.com/openid/ruby-openid
WEB