Vulnerability CVE-2015-3227

Vulnerability Name:

CVE-2015-3227 (CCN-104027)

Assigned:

2015-06-16

Published:

2015-06-16

Updated:

2019-08-08

Summary:

The (1) jdom.rb and (2) rexml.rb components in Active Support in Ruby on Rails before 4.1.11 and 4.2.x before 4.2.2, when JDOM or REXML is enabled, allow remote attackers to cause a denial of service (SystemStackError) via a large XML document depth.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Low

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

Vulnerability Type:

CWE-noinfo

Vulnerability Consequences:

Denial of Service

References:

Source: MITRE
Type: CNA
CVE-2015-3227

Source: CCN
Type: Ruby on Rails Web site
Active Support Core Extensions

Source: SUSE
Type: UNKNOWN
openSUSE-SU-2015:1279

Source: MLIST
Type: UNKNOWN
[oss-security] 20150616 [CVE-2015-3227] Possible Denial of Service attack in Active Support

Source: CCN
Type: oss-security Mailing List, Tue, 16 Jun 2015 11:06:07 -0700
[CVE-2015-3227] Possible Denial of Service attack in Active Support

Source: DEBIAN
Type: UNKNOWN
DSA-3464

Source: CCN
Type: IBM Security Bulletin 1963212
Vulnerability in Ruby on Rails affects IBM Endpoint Manager for Security Configuration Management Security Compliance Analytics

Source: BID
Type: UNKNOWN
75234

Source: CCN
Type: BID-75234
Ruby on Rails activesupport CVE-2015-3227 XML Parsing Remote Denial of Service Vulnerability

Source: SECTRACK
Type: UNKNOWN
1033755

Source: XF
Type: UNKNOWN
activesupport-cve20153227-dos(104027)

Source: MLIST
Type: Vendor Advisory
[rubyonrails-security] 20150616 [CVE-2015-3227] Possible Denial of Service attack in Active Support

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2015-3227

Vulnerable Configuration:

Configuration 1:

cpe:/o:opensuse:opensuse:13.1:*:*:*:*:*:*:*

OR cpe:/o:opensuse:opensuse:13.2:*:*:*:*:*:*:*

Configuration 2:

cpe:/a:rubyonrails:rails:4.1.0:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.1.5:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.1.6:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.1.7:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.1.8:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.2.0:*:*:*:*:*:*:*

OR cpe:/a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20153227	V	CVE-2015-3227	2022-06-30
oval:org.opensuse.security:def:113354	P	ruby2.2-rubygem-activesupport-4_2-4.2.7.1-1.1 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:106761	P	Security update for p11-kit (Important)	2021-12-22
oval:org.opensuse.security:def:55258	P	Security update for MozillaFirefox (Important)	2021-10-15
oval:org.opensuse.security:def:55941	P	Security update for unrar (Moderate)	2021-08-25
oval:org.opensuse.security:def:55775	P	Security update for the Linux Kernel (Live Patch 35 for SLE 12 SP2) (Important)	2020-12-07
oval:org.opensuse.security:def:27010	P	pcsc-lite on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27846	P	Security update for openldap2	2020-12-01
oval:org.opensuse.security:def:26433	P	Security update for MozillaThunderbird (Critical)	2020-12-01
oval:org.opensuse.security:def:56500	P	Security update for openssh (Moderate)	2020-12-01
oval:org.opensuse.security:def:27564	P	rubygem-sprockets-2_2 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26858	P	aaa_base on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:55496	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:26946	P	libecpg6 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27208	P	libpoppler-glib4 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26432	P	Security update for ansible (Moderate)	2020-12-01
oval:org.opensuse.security:def:56426	P	Security update for ncurses (Moderate)	2020-12-01
oval:org.opensuse.security:def:27511	P	lxc on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26774	P	libxml2 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28348	P	Security update for php53 (Moderate)	2020-12-01
oval:org.opensuse.security:def:26935	P	lcms on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27164	P	krb5-doc on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:56334	P	Security update for libvpx (Moderate)	2020-12-01
oval:org.opensuse.security:def:27360	P	MozillaFirefox-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26717	P	gzip on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:55118	P	ghostscript on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27710	P	Security update for bind	2020-12-01
oval:org.opensuse.security:def:26934	P	kvm on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27150	P	jakarta-commons-fileupload on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:56226	P	Security update for libXcursor (Moderate)	2020-12-01
oval:org.opensuse.security:def:27276	P	python on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26636	P	rsync on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27881	P	Security update for rubygem-activesupport-3_2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:55096	P	e2fsprogs on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27666	P	Security update for rubygem-activesupport-2_3	2020-12-01
oval:org.opensuse.security:def:27111	P	dnsmasq on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27219	P	libsss_idmap0 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26508	P	Security update for phpMyAdmin (Important)	2020-12-01
oval:org.opensuse.security:def:56619	P	Security update for libX11 and libxcb (Moderate)	2020-12-01
oval:org.opensuse.security:def:55095	P	dracut on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27652	P	Security update for mozilla-nspr, mozilla-nss	2020-12-01
oval:org.opensuse.security:def:27062	P	xorg-x11-server-dmx on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27138	P	gpg2 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28383	P	Security update for rubygem-activesupport-3_2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:26444	P	Security update for mumble (Moderate)	2020-12-01
oval:org.opensuse.security:def:56538	P	Security update for gdk-pixbuf (Moderate)	2020-12-01
oval:org.opensuse.security:def:27613	P	Security update for MozillaFirefox	2020-12-01
oval:org.opensuse.security:def:27009	P	pcsc-ccid on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:55669	P	Security update for libmspack (Moderate)	2020-12-01
oval:com.ubuntu.cosmic:def:201532270000000	V	CVE-2015-3227 on Ubuntu 18.10 (cosmic) - low.	2015-07-26
oval:com.ubuntu.artful:def:20153227000	V	CVE-2015-3227 on Ubuntu 17.10 (artful) - low.	2015-07-26
oval:com.ubuntu.trusty:def:20153227000	V	CVE-2015-3227 on Ubuntu 14.04 LTS (trusty) - low.	2015-07-26
oval:com.ubuntu.bionic:def:201532270000000	V	CVE-2015-3227 on Ubuntu 18.04 LTS (bionic) - low.	2015-07-26
oval:com.ubuntu.bionic:def:20153227000	V	CVE-2015-3227 on Ubuntu 18.04 LTS (bionic) - low.	2015-07-26
oval:com.ubuntu.xenial:def:20153227000	V	CVE-2015-3227 on Ubuntu 16.04 LTS (xenial) - low.	2015-07-26
oval:com.ubuntu.xenial:def:201532270000000	V	CVE-2015-3227 on Ubuntu 16.04 LTS (xenial) - low.	2015-07-26
oval:com.ubuntu.cosmic:def:20153227000	V	CVE-2015-3227 on Ubuntu 18.10 (cosmic) - low.	2015-07-26
oval:com.ubuntu.disco:def:201532270000000	V	CVE-2015-3227 on Ubuntu 19.04 (disco) - low.	2015-07-26
oval:com.ubuntu.precise:def:20153227000	V	CVE-2015-3227 on Ubuntu 12.04 LTS (precise) - low.	2015-07-26

BACK