7.5

CVE-2013-0156

active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion.

Data is provided by the National Vulnerability Database (NVD)
RubyonrailsRails Version >= 3.2.0 < 3.2.11
RubyonrailsRuby On Rails Version < 2.3.15
RubyonrailsRuby On Rails Version >= 3.0.0 < 3.0.19
RubyonrailsRuby On Rails Version >= 3.1.0 < 3.1.10
DebianDebian Linux Version6.0
DebianDebian Linux Version7.0
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 92.04% 0.997
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 7.5 10 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:P
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

http://ics-cert.us-cert.gov/advisories/ICSA-13-036-01A
Third Party Advisory
US Government Resource
http://www.kb.cert.org/vuls/id/380039
Third Party Advisory
US Government Resource
http://www.kb.cert.org/vuls/id/628463
Third Party Advisory
US Government Resource