CVE-2013-6461
First published: Tue Nov 05 2019(Updated: )
Nokogiri gem 1.5.x and 1.6.x has DoS while parsing XML entities by failing to apply limits
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/ruby-nokogiri | 1.10.0+dfsg1-2 1.10.0+dfsg1-2+deb10u1 1.11.1+dfsg-2 1.13.10+dfsg-2 1.15.4+dfsg-1 | |
| Nokogiri Nokogiri | >=1.5.0<1.5.11 | |
| Nokogiri Nokogiri | >=1.6.0<1.6.1 | |
| Debian Debian Linux | =8.0 | |
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =10.0 | |
| Redhat Cloudforms Management Engine | =5.0 | |
| Redhat Openstack | =3.0 | |
| Redhat Openstack | =4.0 | |
| Redhat Satellite | =6.0 | |
| Redhat Subscription Asset Manager | ||
| Redhat Enterprise Mrg | =2.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://groups.google.com/forum/#!topic/ruby-security-ann/DeJpjTAg1FA
- https://security-tracker.debian.org/tracker/CVE-2013-6461
- http://www.openwall.com/lists/oss-security/2013/12/27/2
- http://www.securityfocus.com/bid/64513
- https://access.redhat.com/security/cve/cve-2013-6461
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6461
- https://exchange.xforce.ibmcloud.com/vulnerabilities/90059
Frequently Asked Questions
What is CVE-2013-6461?
CVE-2013-6461 is a vulnerability in the Nokogiri gem versions 1.5.x and 1.6.x that can lead to denial of service (DoS) attacks by failing to apply limits while parsing XML entities.
How severe is CVE-2013-6461?
CVE-2013-6461 has a severity rating of 6.5, which is considered medium.
Which software is affected by CVE-2013-6461?
The Nokogiri gem versions 1.5.x and 1.6.x are affected by CVE-2013-6461. Additionally, certain versions of the 'ruby-nokogiri' package in Debian Linux, Redhat Cloudforms Management Engine, Redhat Openstack, Redhat Satellite, Redhat Subscription Asset Manager, and Redhat Enterprise MRG are also affected.
How can I fix CVE-2013-6461?
To fix CVE-2013-6461, make sure you update to version 1.10.0+dfsg1-2 or later of the 'ruby-nokogiri' package in Debian Linux. For other affected software, check with the respective vendors for the latest updates and patches.
Where can I find more information about CVE-2013-6461?
You can find more information about CVE-2013-6461 at the following references: [Openwall](http://www.openwall.com/lists/oss-security/2013/12/27/2), [SecurityFocus](http://www.securityfocus.com/bid/64513), [Red Hat](https://access.redhat.com/security/cve/cve-2013-6461)
- collector/security-tracker-debian
- collector/nvd-index
- agent/weakness
- agent/severity
- agent/references
- agent/author
- agent/tags
- agent/type
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- package-manager/debian
- vendor/nokogiri
- canonical/nokogiri nokogiri
- version/nokogiri nokogiri/1.5.0
- version/nokogiri nokogiri/1.6.0
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/8.0
- version/debian debian linux/9.0
- version/debian debian linux/10.0
- vendor/redhat
- canonical/redhat cloudforms management engine
- version/redhat cloudforms management engine/5.0
- canonical/redhat openstack
- version/redhat openstack/3.0
- version/redhat openstack/4.0
- canonical/redhat satellite
- version/redhat satellite/6.0
- canonical/redhat subscription asset manager
- canonical/redhat enterprise mrg
- version/redhat enterprise mrg/2.0