Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
N/A
Vulnerability Description
multi_xml gem 0.5.2 for Ruby, as used in Grape before 0.2.6 and possibly other products, does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156.
CVSS Information
N/A
Vulnerability Type
N/A
Vulnerability Title
Ruby multi_xml 远程任意命令执行漏洞
Vulnerability Description
Grape 0.2.6版本也可能包括其他产品中使用的multi_xml gem 0.5.2 for Ruby中存在漏洞,该漏洞源于程序未正确限制字符串值的类型转换。远程攻击者可通过YAML类型转换或Symbol类型转换利用该漏洞实施对象注入攻击和执行任意代码,或造成与XML内嵌实体引用相关的拒绝服务(内存和CPU耗尽)。
CVSS Information
N/A
Vulnerability Type
N/A