CVE-2013-1854 — Improper Input Validation in Rails

CWE-20 — Improper Input Validation CWE-400 — Uncontrolled Resource Consumption10 documents7 sources

Severity

5.0MEDIUMNVD

EPSS

1.8%

top 17.20%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Rubyonrails Rails Activerecord Project Activerecord Redhat Enterprise Linux +1 more

Timeline

PublishedMar 19

Latest updateOct 24

Description

The Active Record component in Ruby on Rails 2.3.x before 2.3.18, 3.1.x before 3.1.12, and 3.2.x before 3.2.13 processes certain queries by converting hash keys to symbols, which allows remote attackers to cause a denial of service via crafted input to a where method.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages4 packages

▶RubyGemsactiverecord_project/activerecord2.3.0 — 2.3.18+2

▶Debianrubyonrails/rails< 2.3.14.1+3

▶NVDrubyonrails/rails37 versions+36

▶NVDrubyonrails/ruby_on_rails2.3.17, 3.1.11+1

Also affects: Enterprise Linux 6.0

🔴Vulnerability Details

OSV

Active Record Improper Input Validation↗2017-10-24

▶

GHSA

Active Record Improper Input Validation↗2017-10-24

▶

CVEList

CVE-2013-1854: The Active Record component in Ruby on Rails 2↗2013-03-19

▶

OSV

CVE-2013-1854: The Active Record component in Ruby on Rails 2↗2013-03-19

▶

📋Vendor Advisories

Red Hat

rubygem-activerecord: attribute_dos Symbol DoS vulnerability↗2013-03-18

▶

Debian

CVE-2013-1854: rails - The Active Record component in Ruby on Rails 2.3.x before 2.3.18, 3.1.x before 3...↗2013

▶

💬Community

Bugzilla

CVE-2013-1854 rubygem-activerecord: attribute_dos Symbol DoS vulnerability [epel-5]↗2013-03-21

▶

Bugzilla

CVE-2013-1854 rubygem-activerecord: attribute_dos Symbol DoS vulnerability [fedora-18]↗2013-03-21

▶

Bugzilla

CVE-2013-1854 rubygem-activerecord: attribute_dos Symbol DoS vulnerability↗2013-03-14

▶