CVE-2013-6460
First published: Tue Nov 05 2019(Updated: )
Nokogiri gem 1.5.x has Denial of Service via infinite loop when parsing XML documents
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Nokogiri Nokogiri | >=1.5.0<1.5.11 | |
| Nokogiri Nokogiri | >=1.6.0<1.6.1 | |
| Debian Debian Linux | =8.0 | |
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =10.0 | |
| Redhat Cloudforms Management Engine | =5.0 | |
| Redhat Openstack | =3.0 | |
| Redhat Openstack | =4.0 | |
| Redhat Satellite | =6.0 | |
| Redhat Subscription Asset Manager | ||
| Redhat Enterprise Mrg | =2.0 | |
| debian/ruby-nokogiri | 1.11.1+dfsg-2 1.13.10+dfsg-2 1.16.4+dfsg-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://groups.google.com/forum/#!topic/ruby-security-ann/DeJpjTAg1FA
- https://security-tracker.debian.org/tracker/CVE-2013-6460
- http://www.openwall.com/lists/oss-security/2013/12/27/2
- http://www.securityfocus.com/bid/64513
- https://access.redhat.com/security/cve/cve-2013-6460
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6460
- https://bugzilla.suse.com/show_bug.cgi?id=CVE-2013-6460
- https://exchange.xforce.ibmcloud.com/vulnerabilities/90058
Frequently Asked Questions
What is CVE-2013-6460?
CVE-2013-6460 is a vulnerability in the Nokogiri gem 1.5.x that allows for a Denial of Service attack through an infinite loop when parsing XML documents.
What software is affected by CVE-2013-6460?
The Nokogiri gem versions 1.5.x to 1.5.11 and 1.6.0 to 1.6.1 are affected. Also, certain versions of Debian Linux, Redhat Cloudforms Management Engine, Redhat Openstack, Redhat Satellite, and Redhat Enterprise MRG are affected.
How severe is CVE-2013-6460?
CVE-2013-6460 has a severity score of 6.5, which is considered medium.
How can I fix CVE-2013-6460?
To fix CVE-2013-6460, update the Nokogiri gem to version 1.10.0+dfsg1-2 or higher if using Debian, or update to versions 1.10.0+dfsg1-2+deb10u1, 1.11.1+dfsg-2, 1.13.10+dfsg-2, or 1.15.4+dfsg-1. For affected Redhat products, follow the remediation steps provided by Redhat.
Where can I find more information about CVE-2013-6460?
More information about CVE-2013-6460 can be found in the references: http://www.openwall.com/lists/oss-security/2013/12/27/2, http://www.securityfocus.com/bid/64513, https://access.redhat.com/security/cve/cve-2013-6460
- collector/nvd-index
- agent/references
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/weakness
- agent/author
- agent/remedy
- agent/description
- agent/first-publish-date
- collector/security-tracker-debian
- source/Debian
- agent/software-canonical-lookup
- agent/tags
- agent/softwarecombine
- agent/event
- vendor/nokogiri
- canonical/nokogiri nokogiri
- version/nokogiri nokogiri/1.5.0
- version/nokogiri nokogiri/1.6.0
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/8.0
- version/debian debian linux/9.0
- version/debian debian linux/10.0
- vendor/redhat
- canonical/redhat cloudforms management engine
- version/redhat cloudforms management engine/5.0
- canonical/redhat openstack
- version/redhat openstack/3.0
- version/redhat openstack/4.0
- canonical/redhat satellite
- version/redhat satellite/6.0
- canonical/redhat subscription asset manager
- canonical/redhat enterprise mrg
- version/redhat enterprise mrg/2.0
- package-manager/debian