CVE-2013-0156
published 2013-01-13CVE-2013-0156: active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly…
high7.5CVSS 3.1
AVNACLAuNCPIPAP
EXPLOIT
active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion.
Affected
143 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| actionpack_project | actionpack | >= 0 < 2.3.15 | 2.3.15 |
| actionpack_project | actionpack | >= 3.0.0 < 3.0.19 | 3.0.19 |
| actionpack_project | actionpack | >= 3.1.0 < 3.1.10 | 3.1.10 |
| actionpack_project | actionpack | >= 3.2.0 < 3.2.11 | 3.2.11 |
| dan_kubb | extlib | <= 0.9.15 | — |
| dan_kubb | extlib | — | — |
| dan_kubb | extlib | — | — |
| dan_kubb | extlib | — | — |
| dan_kubb | extlib | — | — |
| dan_kubb | extlib | — | — |
| dan_kubb | extlib | — | — |
| dan_kubb | extlib | — | — |
| dan_kubb | extlib | — | — |
| dan_kubb | extlib | — | — |
| dan_kubb | extlib | — | — |
| dan_kubb | extlib | — | — |
| dan_kubb | extlib | — | — |
| dan_kubb | extlib | — | — |
| dan_kubb | extlib | >= 0 < 0.9.16 | 0.9.16 |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | rails | < rails 2.3.14.1 (bookworm) | rails 2.3.14.1 (bookworm) |
| debian | ruby-crack | < ruby-crack 0.3.2-1 (bookworm) | ruby-crack 0.3.2-1 (bookworm) |
| debian | ruby-extlib | < ruby-extlib 0.9.15-3 (bookworm) | ruby-extlib 0.9.15-3 (bookworm) |
| debian | ruby-multi-xml | — | — |
CVSS provenance
nvd7.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
ghsa7.5HIGH
osv7.5HIGH
vulncheck7.5HIGH