CVE-2013-0269

The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka "Unsafe Object Creation Vulnerability."
Severity
UNKNOWN
AV:N/AC:L/Au:N/C:P/I:P/A:P
Atk. Vector
NETWORK
Atk. Complexity
LOW
Base Score
CVSS 3.x
EPSS Score
Percentile: 83%
VendorProductVersion
rubygemsjson_gem
1.5.0
rubygemsjson_gem
1.5.1
rubygemsjson_gem
1.5.2
rubygemsjson_gem
1.5.3
rubygemsjson_gem
1.5.4
rubygemsjson_gem
1.6.0
rubygemsjson_gem
1.6.1
rubygemsjson_gem
1.6.2
rubygemsjson_gem
1.6.3
rubygemsjson_gem
1.6.4
rubygemsjson_gem
1.6.5
rubygemsjson_gem
1.6.6
rubygemsjson_gem
1.6.7
rubygemsjson_gem
1.7.0
rubygemsjson_gem
1.7.1
rubygemsjson_gem
1.7.2
rubygemsjson_gem
1.7.3
rubygemsjson_gem
1.7.4
rubygemsjson_gem
1.7.5
rubygemsjson_gem
1.7.6
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
ruby-json
bullseye
2.3.0+dfsg-1
fixed
bookworm
2.6.3+dfsg-1
fixed
sid
2.7.2+dfsg-1
fixed
trixie
2.7.2+dfsg-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
ruby-json
zesty
not-affected
yakkety
not-affected
xenial
not-affected
wily
not-affected
vivid
not-affected
utopic
not-affected
trusty
not-affected
saucy
not-affected
raring
ignored
quantal
ignored
precise
ignored
oneiric
ignored
lucid
dne
hardy
dne
ruby1.9.1
zesty
dne
yakkety
dne
xenial
dne
wily
dne
vivid
Fixed 1.9.3.194-7ubuntu1
released
utopic
Fixed 1.9.3.194-7ubuntu1
released
trusty
Fixed 1.9.3.194-7ubuntu1
released
saucy
Fixed 1.9.3.194-7ubuntu1
released
raring
Fixed 1.9.3.194-7ubuntu1
released
quantal
Fixed 1.9.3.194-1ubuntu1.3
released
precise
Fixed 1.9.3.0-1ubuntu2.5
released
oneiric
ignored
lucid
ignored
hardy
dne
References