Vulnerability CVE-2013-0156
Published: 2013-01-13   Modified: 2013-01-14

Description:
active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion.

See advisories in our WLB2 database:
Topic
Author
Date
Med.
Action Pack DoS & SQL Injection & Code Execution
Aaron Patterson
09.01.2013
High
Ruby On Rails XML Processor YAML Deserialization Code Execution
charliesome
11.01.2013
Low
The First MicroFinance Bank | RCE / File Upload
Infinity Securit...
24.06.2017

Type:

CWE-20

 (Improper Input Validation)

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.5/10
6.4/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
Rubyonrails -> Rails 
Rubyonrails -> Ruby on rails 
Debian -> Debian linux 

 References:
http://ics-cert.us-cert.gov/advisories/ICSA-13-036-01A
http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html
http://rhn.redhat.com/errata/RHSA-2013-0153.html
http://rhn.redhat.com/errata/RHSA-2013-0154.html
http://rhn.redhat.com/errata/RHSA-2013-0155.html
http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/
http://www.debian.org/security/2013/dsa-2604
http://www.fujitsu.com/global/support/software/security/products-f/sw-sv-rcve-ror201301e.html
http://www.insinuator.net/2013/01/rails-yaml/
http://www.kb.cert.org/vuls/id/380039
http://www.kb.cert.org/vuls/id/628463
https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156
https://groups.google.com/group/rubyonrails-security/msg/c1432d0f8c70e89d?dmode=source&output=gplain
https://puppet.com/security/cve/cve-2013-0156
Copyright 2024, cxsecurity.com

 

Back to Top