CVE-2013-0156 — Vulnetix

Try Vulnetix Request Demo

CVE-2013-0156 REJECTED

active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion.

EPSS 91.91% · 99.7th percentile

Risk Scores

EPSS Score

91.91%

99.7th percentile

Affected Products

Vendor	Product	Versions
Ubuntu:14.04:LTS	ruby-extlib	0

Timeline

CVE Published
Jan 9, 2013 PoC Published
Jan 9, 2013 PoC Published
Jan 11, 2013 PoC Published
Jan 12, 2013 PoC Published
Jan 29, 2013 PoC Published
Sep 6, 2015 PoC Published
Feb 4, 2022 EPSS Score
Mar 28, 2022 EPSS Score
May 19, 2022 EPSS Score
Jul 10, 2022 EPSS Score
Oct 23, 2022 EPSS Score

References

https://ubuntu.com/security/CVE-2013-0156 third-party-advisory
http://www.insinuator.net/2013/01/rails-yaml/ third-party-advisory
http://www.openwall.com/lists/oss-security/2013/01/08/14 third-party-advisory
https://www.cve.org/CVERecord?id=CVE-2013-0156 third-party-advisory

Open in Interactive Console →