CVE-2013-1812 | Vulnerability Database | Aqua Security

The ruby-openid gem before 2.2.2 for Ruby allows remote OpenID providers to cause a denial of service (CPU consumption) via (1) a large XRDS document or (2) an XML Entity Expansion (XEE) attack.

Affected Software

Name	Vendor	Start Version	End Version
Fedora	Fedoraproject	17 (including)	17 (including)
Fedora	Fedoraproject	18 (including)	18 (including)
Libopenid-ruby	Ubuntu	lucid	*
Libopenid-ruby	Ubuntu	oneiric	*
Libopenid-ruby	Ubuntu	precise	*
Libopenid-ruby	Ubuntu	upstream	*
Ruby-openid	Ubuntu	quantal	*
Ruby-openid	Ubuntu	upstream	*

References

http://lists.fedoraproject.org/pipermail/package-announce/2013-November/120204.html
http://lists.fedoraproject.org/pipermail/package-announce/2013-November/120361.html
http://www.openwall.com/lists/oss-security/2013/03/03/8
https://bugzilla.redhat.com/show_bug.cgi?id=918134
https://github.com/openid/ruby-openid/blob/master/CHANGELOG.md
https://github.com/openid/ruby-openid/commit/a3693cef06049563f5b4e4824f4d3211288508ed
https://github.com/openid/ruby-openid/pull/43
http://lists.fedoraproject.org/pipermail/package-announce/2013-November/120204.html
http://lists.fedoraproject.org/pipermail/package-announce/2013-November/120361.html
http://www.openwall.com/lists/oss-security/2013/03/03/8
https://bugzilla.redhat.com/show_bug.cgi?id=918134
https://github.com/openid/ruby-openid/blob/master/CHANGELOG.md
https://github.com/openid/ruby-openid/commit/a3693cef06049563f5b4e4824f4d3211288508ed
https://github.com/openid/ruby-openid/pull/43

NVD	https://nvd.nist.gov/vuln/detail/CVE-2013-1812
CWE	https://cwe.mitre.org/data/definitions/399.html