CVE-2013-0156

active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion.
Severity
UNKNOWN
AV:N/AC:L/Au:N/C:P/I:P/A:P
Atk. Vector
NETWORK
Atk. Complexity
LOW
Base Score
CVSS 3.x
EPSS Score
Percentile: 99%
VendorProductVersion
rubyonrailsrails
3.2.0 ≤
𝑥
< 3.2.11
rubyonrailsruby_on_rails
𝑥
< 2.3.15
rubyonrailsruby_on_rails
3.0.0 ≤
𝑥
< 3.0.19
rubyonrailsruby_on_rails
3.1.0 ≤
𝑥
< 3.1.10
debiandebian_linux
6.0
debiandebian_linux
7.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
rails
bullseye (security)
2:6.0.3.7+dfsg-2+deb11u2
fixed
bullseye
2:6.0.3.7+dfsg-2+deb11u2
fixed
bookworm
2:6.1.7.3+dfsg-2~deb12u1
fixed
sid
2:6.1.7.3+dfsg-4
fixed
trixie
2:6.1.7.3+dfsg-4
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libextlib-ruby
vivid
dne
utopic
dne
trusty
dne
saucy
dne
raring
dne
quantal
dne
precise
Fixed 0.9.13-2+deb6u1build0.12.04.1
released
oneiric
ignored
lucid
ignored
hardy
dne
rails
vivid
not-affected
utopic
not-affected
trusty
dne
saucy
not-affected
raring
not-affected
quantal
not-affected
precise
not-affected
oneiric
not-affected
lucid
ignored
hardy
ignored
ruby-activesupport-2.3
vivid
dne
utopic
dne
trusty
dne
saucy
not-affected
raring
not-affected
quantal
Fixed 2.3.14-4ubuntu0.1
released
precise
Fixed 2.3.14-2ubuntu0.12.04.1
released
oneiric
Fixed 2.3.14-2ubuntu0.11.10.1
released
lucid
dne
hardy
dne
ruby-activesupport-3.2
vivid
dne
utopic
dne
trusty
dne
saucy
not-affected
raring
not-affected
quantal
Fixed 3.2.6-4ubuntu0.1
released
precise
dne
oneiric
dne
lucid
dne
hardy
dne
ruby-extlib
vivid
not-affected
utopic
not-affected
trusty
dne
saucy
not-affected
raring
not-affected
quantal
Fixed 0.9.15-2ubuntu0.1
released
precise
dne
oneiric
dne
lucid
dne
hardy
dne
References