View at Official suse advisory, NVD, CVE.org · CVE detail
Freshness: upstream tracker timestamp is available; use API updated time as primary recency signal.
CVE-2014-8090 severity moderate: SUSE including 40 source package names (4.0.0:libruby2_1-2_1-2.1.2-9.1, 4.0.0:ruby2.1-2.1.2-9.1, …), 160 product×package rows across 52 product lines (Container caasp/v4/velum, Image SLES12-SP5-Azure-BYOS, … (52 product lines)): Fixed 160.
The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption) a crafted XML document containing an empty string in an entity that is used in a large number of nested entity references, aka an XML Entity Expansion (XEE) attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-1821 and CVE-2014-8080.