VYPR
Get started
← All advisories
Moderate severityNVD Advisory· Published Jul 26, 2015· Updated May 6, 2026

CVE-2015-3227

CVE-2015-3227

Description

The (1) jdom.rb and (2) rexml.rb components in Active Support in Ruby on Rails before 4.1.11 and 4.2.x before 4.2.2, when JDOM or REXML is enabled, allow remote attackers to cause a denial of service (SystemStackError) via a large XML document depth.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
activesupportRubyGems
>= 4.0.0.beta1, < 4.1.114.1.11
activesupportRubyGems
>= 4.2.0.beta1, < 4.2.24.2.2
activesupportRubyGems
< 3.2.223.2.22

Affected products

13
  • Rubyonrails/Rails11 versions
    cpe:2.3:a:rubyonrails:rails:4.1.0:*:*:*:*:*:*:*+ 10 more
    • cpe:2.3:a:rubyonrails:rails:4.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.1.5:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.1.6:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.1.7:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.1.8:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*
  • OpenSUSE/openSUSE2 versions
    cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*
    • cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*

Patches

3
12f763ce1131
https://github.com/rails/railsvia ghsa
commit
153cc843ad95
https://github.com/rails/railsvia ghsa
commit
78b29e08c700
https://github.com/rails/railsvia ghsa
commit

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

13

News mentions

0

No linked articles in our index yet.