7.5

CVE-2013-0156

active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
RubyonrailsRails Version >= 3.2.0 < 3.2.11
RubyonrailsRuby On Rails Version < 2.3.15
RubyonrailsRuby On Rails Version >= 3.0.0 < 3.0.19
RubyonrailsRuby On Rails Version >= 3.1.0 < 3.1.10
DebianDebian Linux Version6.0
DebianDebian Linux Version7.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 99.45% 0.999
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 10 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:P
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html
Third Party Advisory
Mailing List
http://rhn.redhat.com/errata/RHSA-2013-0154.html
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2013-0155.html
Third Party Advisory
http://ics-cert.us-cert.gov/advisories/ICSA-13-036-01A
Third Party Advisory
US Government Resource
http://rhn.redhat.com/errata/RHSA-2013-0153.html
Third Party Advisory
http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/
Vendor Advisory
http://www.debian.org/security/2013/dsa-2604
Third Party Advisory
http://www.fujitsu.com/global/support/software/security/products-f/sw-sv-rcve-ror201301e.html
Third Party Advisory
http://www.insinuator.net/2013/01/rails-yaml/
Third Party Advisory
http://www.kb.cert.org/vuls/id/380039
Third Party Advisory
US Government Resource
http://www.kb.cert.org/vuls/id/628463
Third Party Advisory
US Government Resource
https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156
Third Party Advisory
https://groups.google.com/group/rubyonrails-security/msg/c1432d0f8c70e89d?dmode=source&output=gplain
Third Party Advisory
https://puppet.com/security/cve/cve-2013-0156
Third Party Advisory