The Active Record component in Ruby on Rails 2.3.x before 2.3.18, 3.1.x before 3.1.12, and 3.2.x before 3.2.13 processes certain queries by converting hash keys to symbols, which allows remote attackers to cause a denial of service via crafted input to a where method.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
History
13 Feb 2023, 04:41
Type | Values Removed | Values Added |
---|---|---|
Summary | The Active Record component in Ruby on Rails 2.3.x before 2.3.18, 3.1.x before 3.1.12, and 3.2.x before 3.2.13 processes certain queries by converting hash keys to symbols, which allows remote attackers to cause a denial of service via crafted input to a where method. | |
References |
|
02 Feb 2023, 18:17
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Summary | A flaw was found in the way Ruby on Rails handled hashes in certain queries. A remote attacker could use this flaw to perform a denial of service (resource consumption) attack by sending specially crafted queries that would result in the creation of Ruby symbols, which were never garbage collected. |
Information
Published : 2013-03-19 22:55
Updated : 2023-12-10 11:16
NVD link : CVE-2013-1854
Mitre link : CVE-2013-1854
CVE.ORG link : CVE-2013-1854
JSON object : View
Products Affected
rubyonrails
- rails
- ruby_on_rails
redhat
- enterprise_linux
CWE
CWE-20
Improper Input Validation