CINXE.COM
CVE - CVE-2014-8090
<?xml version="1.0"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head><script type="text/javascript" src="/_static/js/bundle-playback.js?v=HxkREWBo" charset="utf-8"></script> <script type="text/javascript" src="/_static/js/wombat.js?v=txqj7nKC" charset="utf-8"></script> <script>window.RufflePlayer=window.RufflePlayer||{};window.RufflePlayer.config={"autoplay":"on","unmuteOverlay":"hidden"};</script> <script type="text/javascript" src="/_static/js/ruffle/ruffle.js"></script> <script type="text/javascript"> __wm.init("https://web.archive.org/web"); __wm.wombat("https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8090","20240809233142","https://web.archive.org/","web","/_static/", "1723246302"); </script> <link rel="stylesheet" type="text/css" href="/_static/css/banner-styles.css?v=S1zqJCYt" /> <link rel="stylesheet" type="text/css" href="/_static/css/iconochive.css?v=3PDvdIFv" /> <!-- End Wayback Rewrite JS Include --> <meta http-equiv="X-UA-Compatible" content="IE=Edge"/> <meta http-equiv="content-type" content="text/html; charset=utf-8"/> <meta name="keywords" content="CVE, CVE List, CVE Records, CVE ID, CVE IDs, CVE Identifier, CVE Identifiers, CVE ID number, CVE ID numbers, CVE number, CVE numbers, CVE Record, CVE Records, CVE Entry, CVE Entries, CVE name, CVEs, CVE-, Reserved but Public, RBP, CVE Numbering Authority, CVE Naming Authority, CNA, CNAs, Root, Top-Level Root, TL-Root, CNA of Last Resort, CNA-LR, Secretariat, Authorized Data Publisher, ADP, CVE Adoption, CVE Automation, CVE Services, CVE JSON, National Vulnerability Database, NVD, Common Vulnerability Scoring System, CVSS, scoring, severity secoring, standard, standards, vulnerability, vulnerabilities, vulnerability management, vulnerability id, vulnerability name, vulnerability naming, vulnerability naming scheme, software flaw, software coding error, software bug, software bugs, firmware, network security, cybersecurity, cyber security, cyber security standards, cybersecurity standards, infosec, information security, information security standards, network security standards, community standards, vulnerability database, security advisory, security advisories, security alerts, vulnerability alerts, zero-day, 0-day, vulnerability assessment and remediation, vulnerability assessment service, vulnerability notification service, intrusion detection service, IDS, intrusion detection and management, intrusion monitoring and response service, intrusion prevention service, IPS, incident management, data/event correlation, firewall, patch management, patches, patching, enterprise information security architecture, SIM, security information management, cloud, cloud security, policy compliance, information security automation, cybersecurity automation, CVE Working Groups, CVE Board, DHS, Cybersecurity and Infrastructure Security Agency, CISA"/> <meta name="description" content="The mission of the CVE® Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities."/> <meta name="google-site-verification" content="Dk82cCXTLpuQQok4nbpDBxZDpA3ltnSAnnhMqY1XBxI"/> <!-- Google tag (gtag.js) --> <script async src="https://web.archive.org/web/20240809233142js_/https://www.googletagmanager.com/gtag/js?id=UA-37948909-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-37948909-1'); </script> <link href="/web/20240809233142cs_/https://cve.mitre.org/css/main.css" rel="stylesheet" type="text/css"/> <script src="/web/20240809233142js_/https://cve.mitre.org/includes/jquery-3.2.1.min.js"></script> <script src="/web/20240809233142js_/https://cve.mitre.org/includes/jquery-migrate-3.0.0.min.js"></script> <script src="/web/20240809233142js_/https://cve.mitre.org/includes/browserheight.js" language="JavaScript" type="text/javascript"></script> <script src="https://web.archive.org/web/20240809233142js_/https://cmp.osano.com/AzyhULTdPkqmy4aDN/fab1add1-e069-4b98-8ba9-cbdc6401a635/osano.js"></script> <link href="/web/20240809233142cs_/https://cve.mitre.org/css/print.css" rel="stylesheet" media="print" type="text/css"/> <title>CVE - CVE-2014-8090 </title> </head> <body> <div id="Page"> <!--Header--> <div id="Header"> <table style="width:100%;border-collapse:collapse" summary="Header Layout Table"> <tr> <td style="vertical-align:middle; text-align:left; white-space:nowrap; padding-top:5px; padding-bottom:5px"> <div style="width:170px;"> <a class="none" href="/web/20240809233142/https://cve.mitre.org/index.html"> <img src="/web/20240809233142im_/https://cve.mitre.org/images/cvelogobanner.png" width="206" height="55" alt="CVE" style="border:0"/> </a> </div> </td> <td style="vertical-align:top;text-align:center;width:100%"> <div class="alignright" style="float:right;vertical-align:top;"> <table style="text-align:right"></table> </div> <!--Page--> <head> <style> .dropbtn { background-color: #ffffff; color: #C8C8C8; padding: 0px 18px; font-size: 15px; font-weight: bold; border: none; cursor: pointer; } .dropdown { position: relative; display: inline-block; } .dropdown-content { display: none; position: absolute; text-align: left; background-color: #ffffff; min-width: 250px; box-shadow: 0px 8px 16px 0px rgba(0,0,0,0.2); z-index: 1; } .dropdown-content a { color: black; padding: 12px 16px; font-size: 11px; text-align: left; text-decoration: none; display: block; } .dropdown-content a:hover {background-color: #cccccc;} .dropdown:hover .dropdown-content { display: block; } .dropdown:hover .dropbtn { background-color: #ffffff; } </style> </head> <body> <div class="dropdown"> <a target="_blank" href="https://web.archive.org/web/20240809233142/https://www.cve.org/"><button class="dropbtn">CVE List▾</button></a> <div class="dropdown-content"> <strong><a href="/web/20240809233142/https://cve.mitre.org/cve/search_cve_list.html">CVE List Search</a></strong> <a href="https://web.archive.org/web/20240809233142/https://www.cve.org/ResourcesSupport/FAQs#pc_cve_list_basicssearch_cve">Search Tips</a> <strong><a href="https://web.archive.org/web/20240809233142/https://cveform.mitre.org/">CVE Request Web Form</a></strong> <a href="https://web.archive.org/web/20240809233142/https://www.cve.org/ResourcesSupport/FAQs#pc_cve_request_web_form">Web Form Help</a> <a href="https://web.archive.org/web/20240809233142/https://www.cve.org/ResourcesSupport/FAQs#pc_cve_request_web_formweb_form_encrypt_requests">PGP Key</a> <strong><a href="https://web.archive.org/web/20240809233142/https://www.cve.org/Legal/TermsOfUse">Terms of Use</a></strong> </div> </div> <div class="dropdown"> <a href="https://web.archive.org/web/20240809233142/https://www.cve.org/ProgramOrganization/CNAs"><button class="dropbtn">CNAs▾</button></a> <div class="dropdown-content"> <strong><a href="https://web.archive.org/web/20240809233142/https://www.cve.org/ProgramOrganization/CNAs">CVE Numbering Authorities (CNAs)</a></strong> <strong><a href="https://web.archive.org/web/20240809233142/https://www.cve.org/PartnerInformation/Partner#HowToBecomeAPartner">How to Become a CNA</a></strong> </div> </div> <div class="dropdown"> <a href="https://web.archive.org/web/20240809233142/https://www.cve.org/ProgramOrganization/WorkingGroups"><button class="dropbtn">WGs▾</button></a> <div class="dropdown-content"> <strong><a href="https://web.archive.org/web/20240809233142/https://www.cve.org/ProgramOrganization/WorkingGroups">CVE Working Groups</a></strong> </div> </div> <div class="dropdown"> <a href="https://web.archive.org/web/20240809233142/https://www.cve.org/ProgramOrganization/Board"><button class="dropbtn">Board▾</button></a> <div class="dropdown-content"> <strong><a href="https://web.archive.org/web/20240809233142/https://www.cve.org/ProgramOrganization/Board">CVE Board</a></strong> <a href="/web/20240809233142/https://cve.mitre.org/community/board/archive.html#meeting_summaries">Meeting Archives</a> <a href="https://web.archive.org/web/20240809233142/https://www.cve.org/ProgramOrganization/Board#Resources">Email Archives</a> </div> </div> <div class="dropdown"> <a href="https://web.archive.org/web/20240809233142/https://www.cve.org/About/Overview"><button class="dropbtn">About▾</button></a> <div class="dropdown-content"> <strong><a href="https://web.archive.org/web/20240809233142/https://www.cve.org/About/Overview">About CVE</a></strong> </div> </div> <div class="dropdown"> <a href="https://web.archive.org/web/20240809233142/https://www.cve.org/Media/News/AllNews"><button class="dropbtn">News▾</button></a> <div class="dropdown-content"> <strong><a href="https://web.archive.org/web/20240809233142/https://www.cve.org/Media/News/AllNews">News, Blogs & Podcasts</a></strong> </div> </div> </div> </body> <!--Page--> </div> <div style="width:50%;"><p><a href="/web/20240809233142/https://cve.mitre.org/index.html"></a></div> </div> </td> </tr> <tr> <td colspan="2" style="vertical-align:top"> <!--NavBar--> <div id="NavBar" class="noprint"> <div class="NavSection"><a href="/web/20240809233142/https://cve.mitre.org/cve/search_cve_list.html">Search CVE List</a></div> <div class="NavSection"><a href="https://web.archive.org/web/20240809233142/https://www.cve.org/Downloads">Downloads</a></div> <div class="NavSection"><a href="https://web.archive.org/web/20240809233142/https://www.cve.org/ResourcesSupport/FAQs#pc_cve_list_basicscve_list_data_feeds">Data Feeds</a></div> <div class="NavSection"><a href="https://web.archive.org/web/20240809233142/https://www.cve.org/ReportRequest/ReportRequestForNonCNAs#UpdateCVERecord">Update a CVE Record</a> </div> <div class="NavSection"><a href="https://web.archive.org/web/20240809233142/https://www.cve.org/ReportRequest/ReportRequestForNonCNAs#RequestCVEID">Request CVE IDs</a></div> </div> <!--/NavBar--> </td> </tr> <tr> <td colspan="2" style="vertical-align:top"> <!--HeaderBar--> <div id="HeaderBar" class="noprint"> TOTAL CVE Records: <a target="_blank" href="https://web.archive.org/web/20240809233142/https://www.cve.org/"> 240830</a> <br><br> NOTICE: <span class="ltredbold">Transition to the all-new CVE website at <a href="https://web.archive.org/web/20240809233142/https://www.cve.org/">WWW.CVE.ORG</a> and <a href="https://web.archive.org/web/20240809233142/https://www.cve.org/Media/News/item/blog/2022/10/06/CVE-Records-Are-Now-Displayed">CVE Record Format JSON</a> are underway.</span> <br><br> NOTICE: <span class="ltredbold">Support for the legacy CVE download formats <a href="https://web.archive.org/web/20240809233142/https://www.cve.org/Media/News/item/blog/2024/07/02/Legacy-CVE-Download-Formats-No-Longer-Supported">ended on June 30, 2024</a>.<br/>New CVE List download format is <a href="https://web.archive.org/web/20240809233142/https://www.cve.org/Media/News/item/blog/2023/03/29/CVE-Downloads-in-JSON-5-Format">available now</a> on CVE.ORG.</span> <br><br> </div></div> <!--/HeaderBar--> </td> </tr> </table> <style type="text/css"> .alignright { text-align: right; font-size: x-small; } </style> <div id="BreadCrumbs" class="noprint"> <a href="/web/20240809233142/https://cve.mitre.org/">Home</a> > <a href="/web/20240809233142/https://cve.mitre.org/cve/">CVE</a> > CVE-2014-8090 </div> </div> <!--/Header--> <!-- begin section menu --> <div id="LeftPane"> </div> <!-- end section menu --> <!-- begin content pane --> <div id="CenterPane"><!--begin Main Content--> <script src="/web/20240809233142js_/https://cve.mitre.org/includes/printerfriendly.js" language="JavaScript" type="text/javascript">printview();</script> <div id="GeneratedTable"> <table cellpadding="0" cellspacing="0" border="0" width="100%"> <tr> <th colspan="2">CVE-ID</th> </tr> <tr> <td nowrap="nowrap" align="center" valign="top"> <h2>CVE-2014-8090</h2> </td> <td valign="top" class="ltgreybackground"> <div class="larger"><a href="https://web.archive.org/web/20240809233142/https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8090" target="_blank">Learn more at National Vulnerability Database (NVD)</a></div> <div class="smaller">• CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information</div> </td> </tr> <tr> <th colspan="2">Description</th> </tr> <tr> <td colspan="2">The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption) a crafted XML document containing an empty string in an entity that is used in a large number of nested entity references, aka an XML Entity Expansion (XEE) attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-1821 and CVE-2014-8080. </td> </tr> <tr> <th colspan="2">References</th> </tr> <tr> <td colspan="2" class="note"> <b>Note:</b> <a href="/web/20240809233142/https://cve.mitre.org/data/refs/index.html">References</a> are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete. </td> </tr> <tr> <td colspan="2"> <ul> <li>APPLE:APPLE-SA-2015-09-30-3 <li><a target="_blank" href="https://web.archive.org/web/20240809233142/http://lists.apple.com/archives/security-announce/2015/Sep/msg00008.html">URL:http://lists.apple.com/archives/security-announce/2015/Sep/msg00008.html</a> <li>BID:71230 <li><a target="_blank" href="https://web.archive.org/web/20240809233142/http://www.securityfocus.com/bid/71230">URL:http://www.securityfocus.com/bid/71230</a> <li><a target="_blank" href="https://web.archive.org/web/20240809233142/http://advisories.mageia.org/MGASA-2014-0472.html">CONFIRM:http://advisories.mageia.org/MGASA-2014-0472.html</a> <li><a target="_blank" href="https://web.archive.org/web/20240809233142/http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html">CONFIRM:http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html</a> <li><a target="_blank" href="https://web.archive.org/web/20240809233142/https://support.apple.com/HT205267">CONFIRM:https://support.apple.com/HT205267</a> <li><a target="_blank" href="https://web.archive.org/web/20240809233142/https://www.ruby-lang.org/en/news/2014/11/13/rexml-dos-cve-2014-8090/">CONFIRM:https://www.ruby-lang.org/en/news/2014/11/13/rexml-dos-cve-2014-8090/</a> <li>DEBIAN:DSA-3157 <li><a target="_blank" href="https://web.archive.org/web/20240809233142/http://www.debian.org/security/2015/dsa-3157">URL:http://www.debian.org/security/2015/dsa-3157</a> <li>DEBIAN:DSA-3159 <li><a target="_blank" href="https://web.archive.org/web/20240809233142/http://www.debian.org/security/2015/dsa-3159">URL:http://www.debian.org/security/2015/dsa-3159</a> <li>MANDRIVA:MDVSA-2015:129 <li>URL:<s>http://www.mandriva.com/security/advisories?name=MDVSA-2015:129</s> (Obsolete source) <li>REDHAT:RHSA-2014:1911 <li><a target="_blank" href="https://web.archive.org/web/20240809233142/http://rhn.redhat.com/errata/RHSA-2014-1911.html">URL:http://rhn.redhat.com/errata/RHSA-2014-1911.html</a> <li>REDHAT:RHSA-2014:1912 <li><a target="_blank" href="https://web.archive.org/web/20240809233142/http://rhn.redhat.com/errata/RHSA-2014-1912.html">URL:http://rhn.redhat.com/errata/RHSA-2014-1912.html</a> <li>REDHAT:RHSA-2014:1913 <li><a target="_blank" href="https://web.archive.org/web/20240809233142/http://rhn.redhat.com/errata/RHSA-2014-1913.html">URL:http://rhn.redhat.com/errata/RHSA-2014-1913.html</a> <li>REDHAT:RHSA-2014:1914 <li><a target="_blank" href="https://web.archive.org/web/20240809233142/http://rhn.redhat.com/errata/RHSA-2014-1914.html">URL:http://rhn.redhat.com/errata/RHSA-2014-1914.html</a> <li>SECUNIA:59948 <li><a target="_blank" href="https://web.archive.org/web/20240809233142/http://secunia.com/advisories/59948">URL:http://secunia.com/advisories/59948</a> <li>SECUNIA:62050 <li><a target="_blank" href="https://web.archive.org/web/20240809233142/http://secunia.com/advisories/62050">URL:http://secunia.com/advisories/62050</a> <li>SECUNIA:62748 <li><a target="_blank" href="https://web.archive.org/web/20240809233142/http://secunia.com/advisories/62748">URL:http://secunia.com/advisories/62748</a> <li>SUSE:openSUSE-SU-2014:1589 <li><a target="_blank" href="https://web.archive.org/web/20240809233142/http://lists.opensuse.org/opensuse-updates/2014-12/msg00035.html">URL:http://lists.opensuse.org/opensuse-updates/2014-12/msg00035.html</a> <li>SUSE:openSUSE-SU-2015:0002 <li><a target="_blank" href="https://web.archive.org/web/20240809233142/http://lists.opensuse.org/opensuse-updates/2015-01/msg00000.html">URL:http://lists.opensuse.org/opensuse-updates/2015-01/msg00000.html</a> <li>SUSE:openSUSE-SU-2015:0007 <li><a target="_blank" href="https://web.archive.org/web/20240809233142/http://lists.opensuse.org/opensuse-updates/2015-01/msg00004.html">URL:http://lists.opensuse.org/opensuse-updates/2015-01/msg00004.html</a> <li>UBUNTU:USN-2412-1 <li><a target="_blank" href="https://web.archive.org/web/20240809233142/http://www.ubuntu.com/usn/USN-2412-1">URL:http://www.ubuntu.com/usn/USN-2412-1</a> </ul> </td> </tr> <tr> <th colspan="2">Assigning CNA</th> </tr> <tr> <td colspan="2">Red Hat, Inc.</td> </tr> <tr> <th colspan="2">Date Record Created</th> </tr> <tr> <td><b>20141010</b></td> <td class="ltgreybackground"> Disclaimer: The <a href="/web/20240809233142/https://cve.mitre.org/about/faqs.html#date_record_created_in_cve_record">record creation date</a> may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. </td> </tr> <tr> <th colspan="2">Phase (Legacy)</th> </tr> <tr> <td colspan="2">Assigned (20141010)</td> </tr> <tr> <th colspan="2">Votes (Legacy)</th> </tr> <tr> <td colspan="2"></td> </tr> <tr> <th colspan="2">Comments (Legacy)</th> </tr> <tr> <td colspan="2"><pre> </pre></td> </tr> <tr> <th colspan="2">Proposed (Legacy)</th> </tr> <tr> <td colspan="2">N/A</td> </tr> <tr> <td colspan="3" class="note"> This is an record on the <a href="/web/20240809233142/https://cve.mitre.org/cve/">CVE List</a>, which provides common identifiers for publicly known cybersecurity vulnerabilities.</td> </tr> <tr> <td colspan="2" class="search"> <form style="padding:0px; margin:0px;" method="get" action="/web/20240809233142/https://cve.mitre.org/cgi-bin/cvekey.cgi"> <label for="keyword"><span class="redbold" style="text-transform:uppercase">Search CVE Using Keywords:</span></label> <input name="keyword" id="keyword" maxlength="100" tabindex="0" type="textarea"></input> <input type="submit" value="Submit"/> </form> <div class="smaller">You can also search by reference using the <a href="/web/20240809233142/https://cve.mitre.org/data/refs/index.html">CVE Reference Maps</a>.</div> </td> </tr> <tr> <td colspan="2" class="search"> <span style="font-weight:bold">For More Information:</span> <a target="_blank" href="https://web.archive.org/web/20240809233142/https://cveform.mitre.org/">CVE Request Web Form</a> (select "Other" from dropdown) </td> </tr> </table> </div> <div class="backtop noprint"><a href="#top">Back to top</a></div> <!--end Main Content--> <!--end Main Content--> </div><!-- end content pane --> </div> <!--/Page--> <!--Footer--> <div id="FootPane" class="noprint"> <div id="Footer"> <table> <tr> <td> <div class="noprint" style="font-size:70%; text-align:center; padding-top:0px; padding-bottom:3px;"> <b> <a href="https://web.archive.org/web/20240809233142/https://www.cve.org/">Go to CVE.ORG website</a> | <a target="_blank" href="https://web.archive.org/web/20240809233142/https://www.cve.org/Legal/TermsOfUse">Terms of Use</a> | <a href="#" onclick="Osano.cm.showDrawer('osano-cm-dom-info-dialog-open')">Manage Cookies</a> | <a href="/web/20240809233142/https://cve.mitre.org/cookie_notice.html">Cookie Notice</a> | <a target="_blank" href="https://web.archive.org/web/20240809233142/https://www.cve.org/Legal/PrivacyPolicy">Privacy Policy</a> | <a target="_blank" href="https://web.archive.org/web/20240809233142/https://cveform.mitre.org/">Contact</a> </td> </tr> </div> <tr> <td> <p>Use of the CVE® List and the associated references from this website are subject to the <a target="_blank" href="https://web.archive.org/web/20240809233142/https://www.cve.org/Legal/TermsOfUse">terms of use</a>. CVE is sponsored by the <a href="https://web.archive.org/web/20240809233142/https://www.dhs.gov/" target="_blank">U.S. Department of Homeland Security</a> (DHS) <a href="https://web.archive.org/web/20240809233142/https://www.dhs.gov/cisa/cybersecurity-division/" target="_blank">Cybersecurity and Infrastructure Security Agency</a> (CISA). Copyright © 1999–2024, <a href="https://web.archive.org/web/20240809233142/https://www.mitre.org/" target="_blank">The MITRE Corporation</a>. CVE and the CVE logo are registered trademarks of The MITRE Corporation.</p> </td> </tr> </table> <!--/Footer--> </div> </div> <!-- Google Analytics --> <script> (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){ (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o), m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m) })(window,document,'script','//web.archive.org/web/20240809233142/https://www.google-analytics.com/analytics.js','ga'); ga('create', 'UA-37948909-1', 'auto'); ga('send', 'pageview'); </script> <!-- End Google Analytics --> </body> </html> <!-- FILE ARCHIVED ON 23:31:42 Aug 09, 2024 AND RETRIEVED FROM THE INTERNET ARCHIVE ON 22:01:07 Dec 03, 2024. JAVASCRIPT APPENDED BY WAYBACK MACHINE, COPYRIGHT INTERNET ARCHIVE. ALL OTHER CONTENT MAY ALSO BE PROTECTED BY COPYRIGHT (17 U.S.C. SECTION 108(a)(3)). --> <!-- playback timings (ms): captures_list: 0.679 exclusion.robots: 0.035 exclusion.robots.policy: 0.023 esindex: 0.014 cdx.remote: 8.316 LoadShardBlock: 211.747 (3) PetaboxLoader3.datanode: 124.097 (4) PetaboxLoader3.resolve: 153.972 (2) load_resource: 70.705 -->