CVE-2013-0333

lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:N/C:P/I:P/A:P
redhatCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 99%
VendorProductVersion
rubyonrailsrails
2.3.0
rubyonrailsrails
2.3.1
rubyonrailsrails
2.3.2
rubyonrailsrails
2.3.3
rubyonrailsrails
2.3.4
rubyonrailsrails
2.3.9
rubyonrailsrails
2.3.10
rubyonrailsrails
2.3.11
rubyonrailsrails
2.3.12
rubyonrailsrails
2.3.13
rubyonrailsrails
2.3.14
rubyonrailsrails
2.3.15
rubyonrailsrails
3.0.0
rubyonrailsrails
3.0.0:beta
rubyonrailsrails
3.0.0:beta2
rubyonrailsrails
3.0.0:beta3
rubyonrailsrails
3.0.0:beta4
rubyonrailsrails
3.0.0:rc
rubyonrailsrails
3.0.0:rc2
rubyonrailsrails
3.0.1
rubyonrailsrails
3.0.1:pre
rubyonrailsrails
3.0.2
rubyonrailsrails
3.0.2:pre
rubyonrailsrails
3.0.3
rubyonrailsrails
3.0.4:rc1
rubyonrailsrails
3.0.5
rubyonrailsrails
3.0.5:rc1
rubyonrailsrails
3.0.6
rubyonrailsrails
3.0.6:rc1
rubyonrailsrails
3.0.6:rc2
rubyonrailsrails
3.0.7
rubyonrailsrails
3.0.7:rc1
rubyonrailsrails
3.0.7:rc2
rubyonrailsrails
3.0.8
rubyonrailsrails
3.0.8:rc1
rubyonrailsrails
3.0.8:rc2
rubyonrailsrails
3.0.8:rc3
rubyonrailsrails
3.0.8:rc4
rubyonrailsrails
3.0.9
rubyonrailsrails
3.0.9:rc1
rubyonrailsrails
3.0.9:rc2
rubyonrailsrails
3.0.9:rc3
rubyonrailsrails
3.0.9:rc4
rubyonrailsrails
3.0.9:rc5
rubyonrailsrails
3.0.10
rubyonrailsrails
3.0.10:rc1
rubyonrailsrails
3.0.11
rubyonrailsrails
3.0.12
rubyonrailsrails
3.0.12:rc1
rubyonrailsrails
3.0.13
rubyonrailsrails
3.0.13:rc1
rubyonrailsrails
3.0.14
rubyonrailsrails
3.0.16
rubyonrailsrails
3.0.17
rubyonrailsrails
3.0.18
rubyonrailsrails
3.0.19
rubyonrailsruby_on_rails
3.0.4
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
rails
bullseye (security)
2:6.0.3.7+dfsg-2+deb11u2
fixed
bullseye
2:6.0.3.7+dfsg-2+deb11u2
fixed
bookworm
2:6.1.7.3+dfsg-2~deb12u1
fixed
sid
2:6.1.7.3+dfsg-4
fixed
trixie
2:6.1.7.3+dfsg-4
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
rails
saucy
not-affected
raring
not-affected
quantal
not-affected
precise
not-affected
oneiric
not-affected
lucid
ignored
hardy
ignored
ruby-activesupport-2.3
saucy
not-affected
raring
not-affected
quantal
Fixed 2.3.14-4ubuntu0.2
released
precise
Fixed 2.3.14-2ubuntu0.12.04.2
released
oneiric
Fixed 2.3.14-2ubuntu0.11.10.2
released
lucid
dne
hardy
dne
ruby-activesupport-3.2
saucy
not-affected
raring
not-affected
quantal
not-affected
precise
dne
oneiric
dne
lucid
dne
hardy
dne
References
http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html
http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html
http://rhn.redhat.com/errata/RHSA-2013-0201.html
http://rhn.redhat.com/errata/RHSA-2013-0202.html
http://rhn.redhat.com/errata/RHSA-2013-0203.html
http://support.apple.com/kb/HT5784
http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/
http://www.debian.org/security/2013/dsa-2613
http://www.kb.cert.org/vuls/id/628463
https://groups.google.com/group/rubyonrails-security/msg/52179af76915e518?dmode=source&output=gplain
https://puppet.com/security/cve/cve-2013-0333
http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html
http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html
http://rhn.redhat.com/errata/RHSA-2013-0201.html
http://rhn.redhat.com/errata/RHSA-2013-0202.html
http://rhn.redhat.com/errata/RHSA-2013-0203.html
http://support.apple.com/kb/HT5784
http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/
http://www.debian.org/security/2013/dsa-2613
http://www.kb.cert.org/vuls/id/628463
https://groups.google.com/group/rubyonrails-security/msg/52179af76915e518?dmode=source&output=gplain
https://puppet.com/security/cve/cve-2013-0333