VDB
DEBIAN-CVE-2013-0156
DEBIAN-CVE-2013-0156
PUBLISHED
CVSS 9.300000190734863 CRITICAL
active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion.
Risk Scores
CVSS v4.0
9.300000190734863
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:11 | rails | 0, 0, 0 |
| Debian:12 | rails | 0, 0, 0 |
| Debian:13 | rails | 0, 0, 0 |
| Debian:14 | rails | 0, 0, 0 |
Exploit Intelligence
- Modified ruby script for RCE (github-poc)
- This script is specifically designed to solve the challenge on PentesterLab for the CVE-2013-0156 exploit (github-poc)
- Pseudo shell for CVE-2013-0156. (github-poc)
- Arbitrary deserialization that can be used to trigger SQL injection and even Code execution (github-poc)
- Bootstrapped Rails 3.2.10 to test the remote code exploit CVE-2013-0156 (github-poc)
- crack repo from jnunemaker but with version 0.1.8 and rails CVE-2013-0156 vulnerability fixed (github-poc)
- Inspect all of your heroku apps to see if they are running a vulnerable version of Rails (github-poc)
- Silly Rails App to demonstrate vuln CVE-2013-0156 (github-poc)
- .bundler-audit.yml (github-poc)
- .bundler-audit.yml (github-poc)
…and 22 more exploits
Timeline
- Jan 13, 2013 CVE Published
- Jan 14, 2013 PoC Published
- Apr 25, 2013 PoC Published
- May 27, 2014 PoC Published
- May 14, 2016 PoC Published
- Mar 20, 2020 PoC Published
- Apr 28, 2026 CVE Updated