CVE-2013-0156

active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*

History

13 Feb 2023, 00:27

Type Values Removed Values Added
References
  • {'url': 'https://access.redhat.com/security/cve/CVE-2013-0156', 'name': 'https://access.redhat.com/security/cve/CVE-2013-0156', 'tags': [], 'refsource': 'MISC'}
  • {'url': 'https://bugzilla.redhat.com/show_bug.cgi?id=892870', 'name': 'https://bugzilla.redhat.com/show_bug.cgi?id=892870', 'tags': [], 'refsource': 'MISC'}
  • {'url': 'https://access.redhat.com/errata/RHSA-2013:0153', 'name': 'https://access.redhat.com/errata/RHSA-2013:0153', 'tags': [], 'refsource': 'MISC'}
  • {'url': 'https://access.redhat.com/errata/RHSA-2013:0154', 'name': 'https://access.redhat.com/errata/RHSA-2013:0154', 'tags': [], 'refsource': 'MISC'}
  • {'url': 'https://access.redhat.com/errata/RHSA-2013:0155', 'name': 'https://access.redhat.com/errata/RHSA-2013:0155', 'tags': [], 'refsource': 'MISC'}
Summary CVE-2013-0156 rubygem-activesupport: Multiple vulnerabilities in parameter parsing in ActionPack active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion.

02 Feb 2023, 18:16

Type Values Removed Values Added
Summary active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion. CVE-2013-0156 rubygem-activesupport: Multiple vulnerabilities in parameter parsing in ActionPack
References
  • (MISC) https://access.redhat.com/security/cve/CVE-2013-0156 -
  • (MISC) https://bugzilla.redhat.com/show_bug.cgi?id=892870 -
  • (MISC) https://access.redhat.com/errata/RHSA-2013:0153 -
  • (MISC) https://access.redhat.com/errata/RHSA-2013:0154 -
  • (MISC) https://access.redhat.com/errata/RHSA-2013:0155 -

Information

Published : 2013-01-13 22:55

Updated : 2023-12-10 11:16


NVD link : CVE-2013-0156

Mitre link : CVE-2013-0156

CVE.ORG link : CVE-2013-0156


JSON object : View

Products Affected

rubyonrails

  • ruby_on_rails
  • rails

debian

  • debian_linux
CWE
CWE-20

Improper Input Validation