Vulnerability CVE-2013-6460 - CERT Civis.Net

Vulnerability Name:

CVE-2013-6460 (CCN-90058)

Assigned:

2013-12-14

Published:

2013-12-14

Updated:

2021-07-15

Summary:

Nokogiri gem 1.5.x has Denial of Service via infinite loop when parsing XML documents

CVSS v3 Severity:

6.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Low

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P)
3.2 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P)
3.2 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

Vulnerability Type:

Vulnerability Consequences:

Denial of Service

References:

Source: MITRE
Type: CNA
CVE-2013-6460

Source: CCN
Type: RubyGems Web site
Nokogiri gem for Ruby

Source: CCN
Type: SA56179
Ruby Nokogiri Gem JRuby XML Processing Two Denial of Service Vulnerabilities

Source: MISC
Type: Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2013/12/27/2

Source: CCN
Type: BID-64513
Ruby Nokogiri Gem XML Parsing Multiple Denial of Service Vulnerabilities

Source: MISC
Type: Third Party Advisory, VDB Entry
http://www.securityfocus.com/bid/64513

Source: MISC
Type: Third Party Advisory
https://access.redhat.com/security/cve/cve-2013-6460

Source: MISC
Type: Exploit, Issue Tracking, Patch, Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6460

Source: MISC
Type: Issue Tracking, Third Party Advisory
https://bugzilla.suse.com/show_bug.cgi?id=CVE-2013-6460

Source: MISC
Type: Third Party Advisory, VDB Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/90058

Source: XF
Type: UNKNOWN
nokogiri-cve20136460-dos(90058)

Source: CCN
Type: ruby-security-ann
DoS Vulnerabilities in Nokogiri on JRuby

Source: MISC
Type: Third Party Advisory
https://security-tracker.debian.org/tracker/CVE-2013-6460

Vulnerable Configuration:

Configuration 1:

cpe:/a:nokogiri:nokogiri:*:*:*:*:*:*:*:* (Version >= 1.6.0 and < 1.6.1)

OR cpe:/a:nokogiri:nokogiri:*:*:*:*:*:*:*:* (Version >= 1.5.0 and < 1.5.11)

Configuration 2:

cpe:/o:debian:debian_linux:8.0:*:*:*:*:*:*:*

OR cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*

OR cpe:/o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Configuration 3:

cpe:/a:redhat:cloudforms_management_engine:5.0:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_mrg:2.0:*:*:*:*:*:*:*

OR cpe:/a:redhat:openstack:3.0:*:*:*:*:*:*:*

OR cpe:/a:redhat:openstack:4.0:*:*:*:*:*:*:*

OR cpe:/a:redhat:satellite:6.0:*:*:*:*:*:*:*

OR cpe:/a:redhat:subscription_asset_manager:-:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:com.ubuntu.precise:def:20136460000	V	CVE-2013-6460 on Ubuntu 12.04 LTS (precise) - medium.	2013-12-31